Git authentication tools for Google Compute Engine

The git-cookie-authdaemon uses the GCE metadata server to acquire an OAuth2 access token and configures git to always present this OAuth2 token when connecting to googlesource.com or Google Cloud Source Repositories.

Setup

Launch the GCE VMs with the gerritcodereview scope requested, for example:

gcloud compute instances create \
  --scopes https://www.googleapis.com/auth/gerritcodereview \
  ...

To add a scope to an existing GCE instance see this gcloud beta feature.

Installation on Linux

Install the daemon within the VM image and start it running:

sudo apt-get install git
git clone https://gerrit.googlesource.com/gcompute-tools/
./gcompute-tools/git-cookie-authdaemon

The daemon launches itself into the background and continues to keep the OAuth2 access token fresh.

Launch at Linux boot

git-cookie-authdaemon can be started as a systemd service at boot.

# Write the service config
$ sudo cat > /etc/systemd/system/git-cookie-authdaemon.service << EOF
[Unit]
Description=git-cookie-authdaemon required to access git-on-borg from GCE

Wants=network.target
After=syslog.target network-online.target

[Service]
User=builder  # update to your user
Group=builder  # update to your group
Type=simple
ExecStart=/path/to/git-cookie-authdaemon  # update the path
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target
EOF

# Reload the service configs
$ sudo systemctl daemon-reload

# Enable the service
$ sudo systemctl enable git-cookie-authdaemon

# Start the service
sudo systemctl start git-cookie-authdaemon

# Check the status of the service
systemctl status git-cookie-authdaemon
ps -ef | grep git-cookie-authdaemon

# Reboot and check status again.

Installation on Windows

  1. Install Python and Git for Windows.
  2. Run git-cookie-authdaemon in the same environment under the same user git commands will be run, for example in either Command Prompt or Cygwin bash shell under user builder.
python git-cookie-authdaemon --nofork

Launch at Windows boot

It may be desired in automation to launch git-cookie-authdaemon at Windows boot. It can be done as a scheduled task. The following is an example on a Jenkins node. The setup is:

  1. The VM is created from GCE Windows Server 2012R2 image.
  2. Gygwin with SSHD is installed.
  3. The Jenkins master connects to the VM through SSH as builder account.

How to create a scheduled task.

  1. Launch Task Scheduler from an Administrator account.
  2. Click Create Task in the right pane.
  3. In General tab:
    1. Change user to the one running Jenkins node if it is different. You may want to run Jenkins node as a non-privileged user, builder in this example.
    2. Select Run whether user is logged on or not
  4. In Trigger tab. Add a trigger
    1. Set Begin the task as At startup.
    2. Uncheck Stop task if it runs longer than.
    3. Check Enabled.
  5. In Actions tab. Add Start a program.
    1. Set Program/script as C:\cygwin64\bin\bash.ext,
    2. Set Add arguments as --login -c /home/builder/git-cookie-authdaemon_wrapper.sh (see note below)
  6. Click Ok to save it.
  7. Optional: click Enable All Tasks History in Task Scheduler's right pane.
  8. Add builder account to Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment -> Log On As Batch Job

Note: /home/builder/git-cookie-authdaemon_wrapper.sh` below does

  1. Set HOMEPATH if it is not.
  2. Capture git-cookie-autodaemon.log stdout and stderr for debugging.
#!/bin/bash
exe=gcompute-tools/git-cookie-authdaemon
log=/cygdrive/c/build/git-cookie-autodaemon.log

# HOMEPATH is not set in task scheduled at machine boot.
export HOMEPATH=${HOMEPATH:-'\Users\builder'}

/cygdrive/c/Python27/python $exe --nofork >> $log 2>&1 # option --debug is also available.