Use dedicated auth lib

Dockerfile

@@ -1,25 +1,17 @@
-FROM python:3.11-slim
-
-WORKDIR /usr/src/app
-
+FROM python:3.11-slim AS gradio
+RUN useradd -m -u 1000 app
+USER app
+ENV HOME=/home/app \
+  PATH=/home/app/.local/bin:$PATH
+WORKDIR ${HOME}
 COPY . .
+# https://huggingface.co/docs/hub/spaces-sdks-docker#buildtime
+RUN --mount=type=secret,id=EXTRA_INDEX_URL,mode=0444,required=true \
+  pip install --no-cache-dir --extra-index-url=$(cat /run/secrets/EXTRA_INDEX_URL) cycloud-sdk-python-auth > /dev/null 2>&1
 RUN pip install --no-cache-dir -r requirements.txt
+RUN --mount=type=secret,id=LLM_CREDENTIALS,mode=0444,required=true \
+  cat /run/secrets/LLM_CREDENTIALS > ${HOME}/credentials.json
 EXPOSE 7860
-ENV GRADIO_SERVER_NAME="0.0.0.0"
-
-# Get service account key from HF Spaces' secrets
-# https://huggingface.co/docs/hub/spaces-sdks-docker#buildtime
-RUN --mount=type=secret,id=GCLOUD_SA_JSON,mode=0444,required=true \
-   cat /run/secrets/GCLOUD_SA_JSON > /usr/src/app/credentials.json
-
-RUN --mount=type=secret,id=GCLOUD_OBJECT_SA_JSON,mode=0444,required=true \
-   cat /run/secrets/GCLOUD_OBJECT_SA_JSON > /usr/src/app/credentials_object.json
-
-RUN --mount=type=secret,id=BUCKET_NAME,mode=0444,required=true \
-    --mount=type=secret,id=CLI_OBJECT_NAME,mode=0444,required=true \
-    python download_gcs_object.py --bucket-name $(cat /run/secrets/BUCKET_NAME) --object-name $(cat /run/secrets/CLI_OBJECT_NAME)
 
-RUN --mount=type=secret,id=CLI_OBJECT_NAME,mode=0444,required=true \
-    tar -xf $(cat /run/secrets/CLI_OBJECT_NAME)
-
-CMD ["python", "app.py"]
+ENV GRADIO_SERVER_NAME="0.0.0.0"
+CMD ["python", "app.py"]

app.py

@@ -9,6 +9,7 @@ import httpx
 from const import CLI_COMMAND, CSS, FOOTER, HEADER, MODELS, PLACEHOLDER
 from openai import OpenAI
 from PIL import Image
+from cycloud.auth import load_default_credentials
 
 
 def get_token() -> str:
@@ -25,8 +26,9 @@ def get_token() -> str:
 
 
 def get_headers() -> dict:
+    creds = load_default_credentials()
     return {
-        "Authorization": f"Bearer {get_token()}",
+        "Authorization": f"Bearer {creds.access_token}",
         "Accept": "application/json",
         "Content-Type": "application/json",
     }

download_gcs_object.py

@@ -1,26 +0,0 @@
-import argparse
-import json
-
-from google.cloud import storage
-from google.oauth2 import service_account
-
-
-def download_gcs_object(bucket_name: str, object_name: str):
-    with open("/usr/src/app/credentials_object.json", "r") as f:
-        credentials_dict = json.load(f)
-    credentials = service_account.Credentials.from_service_account_info(
-        credentials_dict
-    )
-    client = storage.Client(
-        credentials=credentials, project=credentials_dict["project_id"]
-    )
-    blob = client.bucket(bucket_name).blob(object_name)
-    blob.download_to_filename(object_name)
-
-
-if __name__ == "__main__":
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--bucket-name", type=str, required=True)
-    parser.add_argument("--object-name", type=str, required=True)
-    args = parser.parse_args()
-    download_gcs_object(args.bucket_name, args.object_name)