Authenticating standalone gsutil in containers in Cloud ML Engine on Kubernetes with Workload Identity

Question

I\'m launching container images on Google Cloud AI Training (Cloud ML Engine)

Inside those containers I need to use gsutil. Some containers have gsutil. In that case

Answer 1

This is because that pip install gsutil alone does not configure the credentials, which is why it's anonymous user as the error says. You'll want to configure credentials to access protected data.

Put following line in your docker file and it should work:

RUN echo '[GoogleCompute]\nservice_account = default' > /etc/boto.cfg

It's to configure gsutil to use the default service account.

Answer 2

Workload identity is the better way of doing the same.

You create a relation between the Kubernetes service account and Google cloud Service account.

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity