I’d like to preface this by saying we’re just toying with autoscaler out of curiosity and we’re not using this for business or critical stuff, we just figured it’d be cool to play with.
Firstly, there is 0 mention of authenticating autoscaler with GCE in the docs. It took an hour of digging through the autoscaler source and GC documentation to find that we may need a .json file containing a key and various bits, passed as an env: GOOGLE_APPLICATION_CREDENTIALS=/path/to/file.json although I’m increasingly starting to think that this isn’t correct at all. This at least lets autoscaler start and attempt to provision VMs.
Now at the point where autoscaler is trying to create instances, it falls at the first hurdle trying to create the firewall group with a 403, which I’m pretty sure is related to the incorrect auth we’re using.
I’ve also noticed a few inconsistencies/errors in the documentation for Google Cloud on autoscale.drone.io but I can’t find the source repo for that site (I presume it’s private)- it would be nice to see this public so we can contribute fixes to it?
Can you shed some light on how this is supposed to work because we’re lost. Cheers
You need to login with gcloud to generate the default credential file, and then mount this file into your container environment as a volume. The google client (used by the autoscaler) will automatically look for this file at /root/.config/gcloud/application_default_credentials.json
You are correct this needs to be added to the docs, and this would likely resolve the 403 issue you are experiencing, since the credentials will be properly scoped. That aside, is there anything else missing from the docs that you feel needs improved?
The other thing I noticed is that the GCP page says in step 3: -e DRONE_GOOGLE_REGION={DRONE_GOOGLE_REGION} \
where it should actually be -e DRONE_GOOGLE_ZONE={DRONE_GOOGLE_ZONE} \
assuming it is supposed to be the ZONE variable.
Aside from that, I think that’s good. I’ll let you know if the credentials don’t work
From the gcloud cli that is probably worth noting for your docs:
WARNING: `gcloud auth login` no longer writes application default credentials.
If you need to use ADC, see:
gcloud auth application-default --help
You have to run gcloud auth application-default login to get it to write the config file.
The config file authorises autoscaler to provision VMs as me. I’m still playing to see if there is a a way we can have it provision as the service account instead of my user.
The authentication method we used was this one, which afaik is the “standard” method of authenticating with the google api client libraries. https://cloud.google.com/docs/authentication/production
I’m still having a hard time working out why the permissions weren’t correct, though. It’s almost certainly a GCP issue and not an autoscaler issue
If you figure out how to use service accounts (e.g. which scopes are required and how to set that up) please share It is definitely something that should be added to the docs.
It is definitely something that should be added to the docs.