search

GoogleCloudPlatform / gcr-cleaner

Delete untagged image refs in Google Container Registry or Artifact Registry
Apache License 2.0
805 stars 112 forks source link

Usage with azure pipelines #117

Closed questionablequestion closed 2 years ago

questionablequestion commented 2 years ago

TL;DR

Hi,

Is it possible to use this tool with azure pipelines?

I have added needed permission roles/artifactregistry.repoAdmin to the service account. Service account works as I can push images to google artifact registry with no problem.

Thanks!

Expected behavior

To remove old artifacts.

Observed behavior

Throwing permission denied.

Debug log output

DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/xproject-00000/locations/europe-west3/repositories/xxx" (or it may not exist)

Additional information

Pipeline example:

steps:
  - task: Docker@2
    inputs:
      containerRegistry: 'google-artifacts'
      command: 'login'
  - script: |
      docker run europe-docker.pkg.dev/gcr-cleaner/gcr-cleaner/gcr-cleaner-cli -dry-run -repo=europe-west3-docker.pkg.dev/xproject-00000/xxx/yyy
sethvargo commented 2 years ago

Hi @questionablequestion - I'm not sure how the Docker@2 task works and I'm not familiar with Azure Pipelines. But docker run won't inherit the environment so it won't have access to the login information on the host.

questionablequestion commented 2 years ago

Thanks @sethvargo. I have noticed that it is similarly being done for Github actions, but I guess it's working differently than Azure Pipelines.

sethvargo commented 2 years ago

I believe GitHub Actions docker steps inherit the environment and filesystem of the parent. I don't think that's the case on Azure Pipelines. You would need to pass the credentials into the docker run command via environment variables or by mounting a volume.