The application default credentials not working in plugin gcp-secrets-manager with git checkout

XMLWordPrintable

      I have configured the Jenkins master in GCP with applications default credentials, so I don't have configured anywhere GOOGLE_APPLICATION_CREDENTIALS and when credentials are being used withCredentials method, then it's working properly

      node('some-non-gcp-agent') {
    withCredentials(bindings: [sshUserPrivateKey(credentialsId: 'some-ssh-key', keyFileVariable: 'SSH_KEY_FOR_ABC')]) {
        echo env.SSH_KEY_FOR_ABC
    }
}

      outputs:

      ...
[Pipeline] {
    [Pipeline] withCredentials
    Masking supported pattern matches of $SSH_KEY_FOR_ABC
    [Pipeline] {
        [Pipeline] echo
        ****
        [Pipeline] }
    [Pipeline] // withCredentials
    [Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

      But when it's used with git checkout like this:

      node('some-non-gcp-agent') {
    git url: 'git@git.example.com:some/repo.git', credentialsId: 'some-ssh-key'
}

      it throws an exception:

      Running on some-non-gcp-agent in /home/jenkins-slave/workspace/test-pipeline
[Pipeline] {
    [Pipeline] git
    Selected Git installation does not exist. Using Default
    The recommended git tool is: NONE
    using credential some-ssh-key
    Cloning the remote Git repository
    Cloning repository git@git.example.com:some/repo.git
        > git init /home/jenkins-slave/workspace/test-pipeline # timeout=10
    Fetching upstream changes from git@git.example.com:some/repo.git
        > git --version # timeout=10
        > git --version # 'git version 1.8.3.1'
    using GIT_SSH to set credentials some-ssh-key

    [Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
java.io.IOException: The Application Default Credentials are not available. They are available if running in Google Compute Engine. Otherwise, the environment variable GOOGLE_APPLICATION_CREDENTIALS must be defined pointing to a file defining the credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
at com.google.auth.oauth2.DefaultCredentialsProvider.getDefaultCredentials(DefaultCredentialsProvider.java:134)
at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault(GoogleCredentials.java:119)
at com.google.auth.oauth2.GoogleCredentials.getApplicationDefault(GoogleCredentials.java:91)
at com.google.api.gax.core.GoogleCredentialsProvider.getCredentials(GoogleCredentialsProvider.java:67)
at com.google.api.gax.rpc.ClientContext.create(ClientContext.java:145)
at com.google.cloud.secretmanager.v1.stub.GrpcSecretManagerServiceStub.create(GrpcSecretManagerServiceStub.java:237)
at com.google.cloud.secretmanager.v1.stub.SecretManagerServiceStubSettings.createStub(SecretManagerServiceStubSettings.java:226)
at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.<init>(SecretManagerServiceClient.java:154)
at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.create(SecretManagerServiceClient.java:135)
at com.google.cloud.secretmanager.v1.SecretManagerServiceClient.create(SecretManagerServiceClient.java:126)
at io.jenkins.plugins.credentials.gcp.secretsmanager.GcpSecretGetter.getPayload(GcpSecretGetter.java:35)
Also:   hudson.remoting.Channel$CallSiteStackTrace: Remote call to some-non-gcp-agent
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1797)
at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
at hudson.remoting.Channel.call(Channel.java:1001)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:143)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:129)
at com.sun.proxy.$Proxy136.execute(Unknown Source)
at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1224)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1302)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:129)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:97)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:84)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused: com.cloudbees.plugins.credentials.CredentialsUnavailableException: Property 'secret' is currently unavailable, reason: Could not retrieve the credentials from GCP Secrets Manager
at io.jenkins.plugins.credentials.gcp.secretsmanager.GcpSecretGetter.getPayload(GcpSecretGetter.java:47)
at io.jenkins.plugins.credentials.gcp.secretsmanager.GcpSecretGetter.getSecretString(GcpSecretGetter.java:26)
at io.jenkins.plugins.credentials.gcp.secretsmanager.CredentialsFactory$SecretSupplier.get(CredentialsFactory.java:77)
at io.jenkins.plugins.credentials.gcp.secretsmanager.CredentialsFactory$SecretSupplier.get(CredentialsFactory.java:63)
at io.jenkins.plugins.credentials.gcp.secretsmanager.GcpSshUserPrivateKey.getPrivateKeys(GcpSshUserPrivateKey.java:29)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createSshKeyFile(CliGitAPIImpl.java:2279)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2022)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:618)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:847)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:158)
at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:151)
at hudson.remoting.UserRequest.perform(UserRequest.java:211)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:376)
at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
at java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:829)
Finished: FAILURE

            Assignee:
            Michael Daugherty
            Reporter:
            Mateusz Janczuk
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: