Open richjyoung opened 1 year ago
Was having this issue as well with artifactregistry-auth, also ended up having to roll back to v3.1.0
@richjyoung @hchorton Are yall possibly running on GCE? This might be an unexpected side effect from #50.
Here's my theory:
Can you try instead of doing gcloud auth activate-service-account
, using this environment variable GOOGLE_APPLICATION_CREDENTIALS
:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json
This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing.
In my case we are running standard image for self hosted gitlab runners on Google Kubernetes Engine. I did not think running containers on GKE have access to the default service account on the host, however I will try this suggestion.
Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: Hanzhen Yi @.> Sent: Tuesday, March 28, 2023 6:52:50 PM To: GoogleCloudPlatform/artifact-registry-npm-tools @.> Cc: Rich Young @.>; Mention @.> Subject: Re: [GoogleCloudPlatform/artifact-registry-npm-tools] npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package (Issue #52)
@richjyounghttps://github.com/richjyoung @hchortonhttps://github.com/hchorton Are yall possibly running on GCE? This might be an unexpected side effect from #50https://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/pull/50.
Here's my theory:
Can you try instead of doing gcloud auth activate-service-account, using this environment variable GOOGLE_APPLICATION_CREDENTIALS:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json
This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing.
— Reply to this email directly, view it on GitHubhttps://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/issues/52#issuecomment-1487361640, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA65UKOE2PP5SLSMU3762BLW6MQPFANCNFSM6AAAAAAWKHY2XM. You are receiving this because you were mentioned.Message ID: @.***>
@richjyoung if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :)
Ah ok, thanks for your help!
Sent from Outlook for Androidhttps://aka.ms/AAb9ysg
From: Hanzhen Yi @.> Sent: Tuesday, March 28, 2023 7:03:44 PM To: GoogleCloudPlatform/artifact-registry-npm-tools @.> Cc: Rich Young @.>; Mention @.> Subject: Re: [GoogleCloudPlatform/artifact-registry-npm-tools] npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package (Issue #52)
@richjyounghttps://github.com/richjyoung if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :)
— Reply to this email directly, view it on GitHubhttps://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/issues/52#issuecomment-1487376392, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA65UKLU75Y3D7F5PSOKLQTW6MRYBANCNFSM6AAAAAAWKHY2XM. You are receiving this because you were mentioned.Message ID: @.***>
Same issue for us.
Workaround worked for us. Thanks.
Having the same issue. My gitlab-runner does not run on a GCP/K8s. Using the verion 3.1.0 did not helped.
I'm using the environment variable GOOGLE_APPLICATION_CREDENTIALS
pointing to a service-account credential json file. This service-account has enough permissions and is used in other builds (maven) to GAR without issues. The NPM repository has the correct permissions and "Artifact Registry Reader" Role. Locally it works. :shrug:
This does not happen with v3.1.0
Running in GitLab CI on a private runner, executing the following (*** masked for privacy):
The output from GitLab CI Job is as follows:
The referenced log file contains no further information than the above output.
Version 3.1.0 does not have this issue, if we run
npx --yes google-artifactregistry-auth@v3.1.0
(which we have had to commit to our .gitlab-ci.yml to fix our pipeline) then this works as expected. Please let me know if there is any further information I can provide, however I am unable to share a minimal example as this involves organisation private data.