pass in gcloud access token, if provided, to unpack_archive_to_bucket…

…_path; otherwise, obtain it via `gcloud auth print-access-token` pass in gcloud access token, if provided, to unpack_archive_to_bucket_path; otherwise, obtain it via `gcloud auth print-access-token` (which should work on Terra/GCE instances).
broadinstitute · Dec 12, 2024 · 4cf59d4 · 4cf59d4
1 parent 7a79db3
commit 4cf59d4
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 4 deletions.
diff --git a/pipes/WDL/tasks/tasks_utils.wdl b/pipes/WDL/tasks/tasks_utils.wdl
@@ -89,15 +89,29 @@ task unpack_archive_to_bucket_path {
     }
 
     command <<<
+        # verify gcloud is installed (it should be, if the default docker image is used)
+        if ! command -v gcloud &> /dev/null; then
+            echo "ERROR: gcloud is not installed; it is required to authenticate to Google Cloud Storage" >&2
+            exit 1
+        fi
+
         if ~{if(defined(gcloud_access_token)) then 'true' else 'false'}; then
             # set access token env var expected by gcloud,
             # if provided by the user
             export CLOUDSDK_AUTH_ACCESS_TOKEN="~{gcloud_access_token}"
+        else
+            export CLOUDSDK_AUTH_ACCESS_TOKEN="$(gcloud auth print-access-token)"
+        fi
+
+        # check that the gcloud access token is populated
+        if [ -z "${CLOUDSDK_AUTH_ACCESS_TOKEN}" ]; then
+            echo "ERROR: gcloud access token not found; it must either be provided via the 'gcloud_access_token' input, or made available within the execution environment (via 'gcloud auth print-access-token')" >&2
+            exit 1
         fi
 
         # check whether the bucket path prefix begins with "gs://" and if not, 
         # prepend the 'protocol'; also strip leading or trailing slash if present
-        # (for flexibility—the user can specify the bucket path prefix with or without the protocol)
+        # (for flexibility; this way the user can specify the bucket path prefix with or without the protocol)
         bucket_path_prefix=$(echo "~{bucket_path_prefix}" | sed -e 's|^gs://||' -e 's|/$||' -e 's|^/*||' -e 's|^|gs://|')
 
         # check that, excluding the gs:// 'protocol' prefix, the bucket path prefix is not empty
@@ -108,8 +122,8 @@ task unpack_archive_to_bucket_path {
 
         # check whether the user can write to the target bucket
         # by trying  a simple write action, since we cannot rely on
-        # the user having the permissions needed to view the IAM policie(ss) that
-        # determine their (write) access to the bucket
+        # the user having the permissions needed to view the IAM policies
+        # that determine their (write) access to the bucket 
         if ! echo "write_test" | gcloud storage cp - "${bucket_path_prefix}/.tmp/test-write-access.txt" --quiet; then
             echo "ERROR: user does not have write access to the target bucket: ~{bucket_path_prefix}" >&2
             exit 1

diff --git a/pipes/WDL/workflows/unpack_archive_to_bucket.wdl b/pipes/WDL/workflows/unpack_archive_to_bucket.wdl
@@ -19,6 +19,9 @@ workflow unpack_archive_to_bucket {
     call tasks_terra.check_terra_env
 
     if( (check_terra_env.is_running_on_terra && check_terra_env.is_backed_by_gcp) || defined(gcloud_auth_token) ) {
-        call tasks_utils.unpack_archive_to_bucket_path
+        call tasks_utils.unpack_archive_to_bucket_path {
+            input:
+                gcloud_access_token = gcloud_auth_token
+        }
     }
 }