Run any Docker container with automatic cloud authentication.
Simple YAML configuration + automatic GCP credential detection = zero-config deployments.
- ✅ Zero Config - Automatically detects and uses your existing gcloud credentials
- ✅ Works Everywhere - Local dev, CI/CD, production
- ✅ Secure - Read-only mounts, no credential copying
npm install -g @udx/worker-deployment# 1. Install
npm install -g @udx/worker-deployment
# 2. Generate default config template
worker-config
# 3. Edit deploy.yml with your settings
# 4. Run your container
worker-runThat's it! The tool automatically detects your GCP credentials.
The tool supports three authentication methods:
Use your gcloud credentials - no key files needed!
# In deploy.yml
config:
service_account:
email: "my-sa@my-project.iam.gserviceaccount.com"One-time setup:
# 1. Authenticate with gcloud
gcloud auth login
# 2. Set up Application Default Credentials (required for Terraform)
gcloud auth application-default login
# 3. Grant yourself impersonation permission
gcloud iam service-accounts add-iam-policy-binding \
my-sa@my-project.iam.gserviceaccount.com \
--member="user:$(gcloud config get-value account)" \
--role="roles/iam.serviceAccountTokenCreator" \
--project=MY_PROJECT
# 4. Run
worker-runWhy use this? ✅ No key files ✅ Temporary tokens ✅ Easy permission management ✅ Works with Terraform/SDKs
If you already have a service account key:
# Save as gcp-key.json in your project directory
worker-runOr specify custom path in deploy.yml:
config:
service_account:
key_path: "./secrets/my-key.json"Keyless authentication for CI/CD:
- uses: google-github-actions/auth@v3
id: auth
with:
workload_identity_provider: ${{ secrets.WIF_PROVIDER }}
service_account: ${{ secrets.WIF_SERVICE_ACCOUNT }}
- run: |
cp ${{ steps.auth.outputs.credentials_file_path }} gcp-credentials.json
worker-runOr specify custom path:
config:
service_account:
token_path: "./credentials/gcp-token.json"The tool checks credentials in this order:
- Config-specified (
service_account.email,key_path, ortoken_path) - Default files (
gcp-key.jsonorgcp-credentials.jsonin current/config directory)
Default file locations work automatically - no config needed!
worker-config # Generate config template
worker-run # Run container (auto-detects credentials)
worker-run --dry-run # Preview without executing
worker-run run-it # Interactive mode (shell access)
worker-run --config=custom.yml # Use custom config fileEdit the generated deploy.yml file:
---
kind: workerDeployConfig
version: udx.io/worker-v1/deploy
config:
# Docker image to use
image: "usabilitydynamics/udx-worker-tooling:latest"
# Mount your files into the container
volumes:
- "./src:/workspace/src" # Mount src folder
- "./data:/workspace/data" # Mount data folder
# Set environment variables
env:
DEBUG: "true"
PROJECT_NAME: "my-project"
# Command to run (optional - if not specified, uses container's default CMD/ENTRYPOINT)
command: "bash /workspace/src/my-script.sh"config:
image: "usabilitydynamics/udx-worker:latest"
volumes:
- "./:/workspace"
env:
DEBUG: "true"
GCP_PROJECT: "my-project"
command: "worker run my-task"config:
image: "usabilitydynamics/udx-worker:latest"
volumes:
- "./scripts:/workspace/scripts"
- "./data:/workspace/data"
env:
ENVIRONMENT: "production"
command: "bash /workspace/scripts/deploy.sh"config:
image: "usabilitydynamics/udx-worker:latest"
service_account:
email: "worker-sa@my-project.iam.gserviceaccount.com"
volumes:
- "./:/workspace"
command: "worker deploy --env=staging"config:
image: "usabilitydynamics/udx-worker:latest"
volumes:
- "./:/workspace"
env:
GCP_PROJECT: "my-project"
# No command specified - uses container's default CMD/ENTRYPOINT# Test your configuration without executing
worker-run --dry-run# Run container with shell access
worker-run run-it# Required
brew install docker yq
# macOS only (GNU Make)
brew install make
# Optional (for GCP auth)
brew install google-cloud-sdkMIT