NOTE: Cloud Pub/Sub Client Libraries Authentication local development vs. Jenkins

We had some back and forth with this while trying to run Pub/Sub tests locally vs. Jenkins so I want to note it down here. With the Cloud Client Libraries for Pub/Sub you can authenticate locally as a developer using gcloud:

gcloud auth application-default login

This will open up a browser our print a URL and prompt for a verification code. This will apply to all api calls that use this library. Now provided your user has the proper IAM roles you will be able to use the client libraries against Google Cloud Pub/Sub and test your work locally the same way you test in CI.

With CI in our case Jenkins we had to do a few things. We created a service account in Google Cloud, applied the correct IAM roles and pulled down the json key. Created the credential in Jenkins using the credential kind of Secret File:

Next in your JenkinsFile you will want to create a variable with the Credentials Binding Plugin.

stage('test') {
    steps{
      echo "Starting build ${BUILD_ID} for ${JOB_NAME}"
      withCredentials([[$class: 'FileBinding', credentialsId: 'my-key-id', variable: 'GOOGLE_APPLICATION_CREDENTIALS']]) {
          sh "gradle my-project:test"
      }

Application Default Credentials (ADC) will use that variable if you include whatever is using the client libraries in that binding. In our case a gradle task to test the creation of a topic and subscription and a push/pull. This should work for both old and new client libraries in the case you’re using App Engine Standard for example.