Why is a service account key being baked into the Dockerfile?

[jlewi]

The Dockerfile is including a service account key https://github.com/googlecodelabs/kubeflow-introduction/blob/1381430b970811ccbdefb4f388897d7000989c1e/tensorflow-model/Dockerfile#L13

Is there a particular reason it is doing this?

Storing credentials in the Docker image is not secure. It should be unnecessary as well. When the container is run, the appropriate service account key can be mounted into the container using a K8s secret. The environment variable GOOGLE_APPLICATION_CREDENTIALS can also be set at runtime.

[daniel-sanche]

The service account is added so that the container can push the trained model to GCS after completing training. This code was made for the Introduction Codelab. To make things easy and understandable for the codelab environment, I emphasized simplicity over production-readiness. Now that this sample code is being used in other contexts, it's probably worthwhile to reevaluate that decision. I'm going to be working with @sarahmaddox to update the codelabs to 0.4 this month, so I'll keep this in mind for the update