search

GoogleCloudPlatform / artifact-registry-npm-tools

15 stars 19 forks source link

npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package #52

Open richjyoung opened 1 year ago

richjyoung commented 1 year ago

This does not happen with v3.1.0

Running in GitLab CI on a private runner, executing the following (*** masked for privacy):

before_script:
  - gcloud auth activate-service-account ***@***.iam.gserviceaccount.com --key-file=*** --project=***
  - npx --yes google-artifactregistry-auth
  - npm ci --production=false
script:
  - ./node_modules/.bin/vitest run --coverage

The output from GitLab CI Job is as follows:

$ npx --yes google-artifactregistry-auth
Retrieving application default credentials...
Success!
$ npm ci
npm WARN deprecated json-schema-ref-parser@9.0.9: Please switch to @apidevtools/json-schema-ref-parser
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://us-npm.pkg.dev/***/***/@***/***/-/@***-3.0.1.tgz - The caller does not have permission.
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2023-03-28T08_28_36_481Z-debug-0.log

The referenced log file contains no further information than the above output.

Version 3.1.0 does not have this issue, if we run npx --yes google-artifactregistry-auth@v3.1.0 (which we have had to commit to our .gitlab-ci.yml to fix our pipeline) then this works as expected. Please let me know if there is any further information I can provide, however I am unable to share a minimal example as this involves organisation private data.

hchorton commented 1 year ago

Was having this issue as well with artifactregistry-auth, also ended up having to roll back to v3.1.0

yihanzhen commented 1 year ago

@richjyoung @hchorton Are yall possibly running on GCE? This might be an unexpected side effect from #50.

Here's my theory:

Can you try instead of doing gcloud auth activate-service-account, using this environment variable GOOGLE_APPLICATION_CREDENTIALS:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json

This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing.

richjyoung commented 1 year ago

In my case we are running standard image for self hosted gitlab runners on Google Kubernetes Engine. I did not think running containers on GKE have access to the default service account on the host, however I will try this suggestion.

Sent from Outlook for Androidhttps://aka.ms/AAb9ysg

From: Hanzhen Yi @.> Sent: Tuesday, March 28, 2023 6:52:50 PM To: GoogleCloudPlatform/artifact-registry-npm-tools @.> Cc: Rich Young @.>; Mention @.> Subject: Re: [GoogleCloudPlatform/artifact-registry-npm-tools] npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package (Issue #52)

@richjyounghttps://github.com/richjyoung @hchortonhttps://github.com/hchorton Are yall possibly running on GCE? This might be an unexpected side effect from #50https://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/pull/50.

Here's my theory:

Can you try instead of doing gcloud auth activate-service-account, using this environment variable GOOGLE_APPLICATION_CREDENTIALS:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json

This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing.

— Reply to this email directly, view it on GitHubhttps://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/issues/52#issuecomment-1487361640, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA65UKOE2PP5SLSMU3762BLW6MQPFANCNFSM6AAAAAAWKHY2XM. You are receiving this because you were mentioned.Message ID: @.***>

yihanzhen commented 1 year ago

@richjyoung if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :)

richjyoung commented 1 year ago

Ah ok, thanks for your help!

Sent from Outlook for Androidhttps://aka.ms/AAb9ysg

From: Hanzhen Yi @.> Sent: Tuesday, March 28, 2023 7:03:44 PM To: GoogleCloudPlatform/artifact-registry-npm-tools @.> Cc: Rich Young @.>; Mention @.> Subject: Re: [GoogleCloudPlatform/artifact-registry-npm-tools] npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package (Issue #52)

@richjyounghttps://github.com/richjyoung if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :)

— Reply to this email directly, view it on GitHubhttps://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/issues/52#issuecomment-1487376392, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA65UKLU75Y3D7F5PSOKLQTW6MRYBANCNFSM6AAAAAAWKHY2XM. You are receiving this because you were mentioned.Message ID: @.***>

samuelgoldenbaum commented 1 year ago

Same issue for us.

kliffordmanto commented 5 months ago

Workaround worked for us. Thanks.

galan commented 4 months ago

Having the same issue. My gitlab-runner does not run on a GCP/K8s. Using the verion 3.1.0 did not helped.

I'm using the environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to a service-account credential json file. This service-account has enough permissions and is used in other builds (maven) to GAR without issues. The NPM repository has the correct permissions and "Artifact Registry Reader" Role. Locally it works. :shrug:

galan commented 4 months ago

After a lot of digging, it seem to be a yarn issue. So the temporary solution for me was to do the npx --yes google-artifactregistry-auth in a separate build step, instead of the preinstall script.