To use Google Cloud Storage, you need to set the SCCACHE_GCS_BUCKET
environment variable to the name of the GCS bucket.
By default, SCCACHE on GCS will be read-only. To change this, set SCCACHE_GCS_RW_MODE
to either READ_ONLY
or READ_WRITE
.
You can also define a prefix that will be prepended to the keys of all cache objects created and read within the GCS bucket, effectively creating a scope. To do that use the SCCACHE_GCS_KEY_PREFIX
environment variable. This can be useful when sharing a bucket with another application.
Sccache is able to load credentials from various sources. Including:
SCCACHE_GCS_KEY_PATH
has been set, we will load from this file first.SCCACHE_GCS_CREDENTIALS_URL
has been set, we will load token from this url first.GOOGLE_APPLICATION_CREDENTIALS
%APPDATA%\gcloud\application_default_credentials.json
$XDG_CONFIG_HOME/gcloud/application_default_credentials.json
$HOME/.config/gcloud/application_default_credentials.json
To create such account, in GCP, go in APIs and Services
=> Cloud Storage
=> Create credentials
=> Service account
. Then, once created, click on the account then Keys
=> Add key
=> Create new key
. Select the JSON format and here it is. This JSON file is what SCCACHE_GCS_KEY_PATH
expects.
The service account needs Storage Object Admin
permissions on the bucket (otherwise, sccache will fail with a simple Permission denied
).
Such accounts require creating a Workload Identity Pool and Workload Identity Provider. This approach allows the environment (Azure, Aws, or other OIDC providers like Github) to create a temporary service account grant without having to share a service account JSON, which can be pretty powerful. An example on how to create such accounts is Google's guide on how to use it with Github.
After generating the external account JSON file, you may pass its path to SCCACHE_GCS_KEY_PATH
.
Service accounts used by the pool must have Storage Object Admin
permissions on bucket as well.
To verify that it works, run:
export SCCACHE_GCS_BUCKET=<bucket name in GCP> export SCCACHE_GCS_KEY_PATH=secret-gcp-storage.json ./sccache --show-stats # you should see [...] Cache location GCS, bucket: Bucket(name=<bucket name in GCP>), key_prefix: (none)
SCCACHE_GCS_OAUTH_URL
have been deprecated and not supported, please use SCCACHE_GCS_SERVICE_ACCOUNT
instead.