Support to create resources in GCP setting GOOGLE_CREDENTIAL_APPLICATIONS (via oblt-google-auth-buildkite-plugin)#3167
Merged
mrodm merged 20 commits intoelastic:mainfrom Jan 16, 2026
Conversation
5 tasks
Set the terraform docker-compose scenario as a template in order to be able to set the volumes just when the environment variables are defined. This will help when executing elastic-package in local scenarios.
28131f1 to
eec47eb
Compare
cb18fb3 to
c10fd3f
Compare
Contributor
Author
|
/test |
mrodm
commented
Jan 14, 2026
| source: ${SERVICE_LOGS_DIR} | ||
| target: /run/service_logs/ | ||
| read_only: false | ||
| {{ if ne $google_application_credentials "" }} |
Contributor
Author
There was a problem hiding this comment.
GOOGLE_APPLICATION_CREDENTIALS for agent should be set via variables in data stream.
Example for panw_cortex_xdr package (it could depend on the variables defined in each data stream/package):
data_stream:
vars:
service_account_file: "{{GOOGLE_APPLICATION_CREDENTIALS}}"
mrodm
commented
Jan 14, 2026
| { | ||
| "project_id": "my-gcp-project", | ||
| "private_key_id": "some_key_id", | ||
| "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n", |
Contributor
Author
There was a problem hiding this comment.
This test file is to check reading an invalid JSON
mrodm
commented
Jan 14, 2026
Contributor
Author
There was a problem hiding this comment.
Moved to a template so it can be rendered different contents depending on the facters (presence of google application credentials files).
mrodm
commented
Jan 14, 2026
Collaborator
💚 Build Succeeded
History
cc @mrodm |
mrodm
commented
Jan 15, 2026
Comment on lines
+19
to
+34
| {{ if ne $google_application_credentials "" }} | ||
| # Mount Google Application Credentials file provided | ||
| # Required for authenticating when resources must be created/deleted in GCP | ||
| - type: bind | ||
| source: {{ $google_application_credentials }} | ||
| target: {{ $google_application_credentials }} | ||
| read_only: true | ||
| {{ end }} | ||
| {{ if ne $google_credential_source_file "" }} | ||
| # Mount Google credential source file (token file) provided | ||
| # Required for external accounts authentication when resources must be created/deleted in GCP | ||
| - type: bind | ||
| source: {{ $google_credential_source_file }} | ||
| target: {{ $google_credential_source_file }} | ||
| read_only: true | ||
| {{ end }} |
Contributor
Author
There was a problem hiding this comment.
Added new volume mounts to include (if present) the google application credentials and the credential source file.
This approach is for both Elastic Agent and Terraform containers.
jsoriano
approved these changes
Jan 15, 2026
jsoriano
approved these changes
Jan 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2606
Our CI environments are using this buildkite plugin to set the google credentials via OIDC: https://github.com/elastic/oblt-google-auth-buildkite-plugin
As this plugin sets the
GOOGLE_CREDENTIAL_APPLICATIONjson file including a token file (credential_source.file), these files need to be mounted in both elastic-agent and terraform containers keeping the same paths.Example of the contents of the JSON file pointed by the GOOGLE_APPLICATION_CREDENTIALS variable:
https://github.com/elastic/oblt-google-auth-buildkite-plugin/blob/1aa2833001484f4de7520aaa245943975e184a6c/hooks/environment#L37-L47
This PR ensures that these two files are mounted in both containers via volume mounts in the same paths as in the host as read only. User still needs to add the GOOGLE_APPLICATION_CREDENTIAL environment in the test deploy configuration.
Tested in elastic/integrations#16642 and https://buildkite.com/elastic/integrations/builds/36418
Considerations:
ephemeral: truein the provider configuration.