search

google-github-actions / auth

A GitHub Action for authenticating to Google Cloud.
https://cloud.google.com/iam
Apache License 2.0
953 stars 195 forks source link

Cannot push an image to Google Docker Artifact Registry #50

Closed fleroux514 closed 2 years ago

fleroux514 commented 2 years ago

TL;DR

Replaced the use of https://github.com/docker/login-action with the current action to authenticate to a Google Docker Artifact registry and I can't seem to push an image to it.

Proof that my service account has access to the registry:

image

Expected behavior

Able to push a docker image to Google Artifact Registry

Observed behavior

Getting the following error:

denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/prj-d-perso-fleroux-4094/locations/northamerica-northeast1/repositories/fleroux-docker" (or it may not exist)

image

Action YAML

---
name: Authenticate to Artifact registry using Identity Federation
on:
  push:

jobs:
  test-oidc:
    runs-on: ubuntu-latest
    env:
      PY_COLORS: '1'
      ANSIBLE_FORCE_COLOR: '1'
      WORKLOAD_IDENTITY_POOL_PROVIDER: 'projects/506790059452/locations/global/workloadIdentityPools/github-pool/providers/github-pool-provider'
      SERVICE_ACCOUNT: 'sa-fleroux@prj-d-perso-fleroux-4094.iam.gserviceaccount.com'

    # Add "id-token" with the intended permissions.
    permissions:
      contents: 'read'
      id-token: 'write'

    steps:
      - name: Checkout codebase
        uses: actions/checkout@v2

      - name: Authenticate to Google
        id: 'auth'
        uses: 'google-github-actions/auth@v0.3.1'
        with:
          token_format: 'id_token'
          workload_identity_provider: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
          service_account: ${{ env.SERVICE_ACCOUNT }}
          id_token_audience: ${{ env.WORKLOAD_IDENTITY_POOL_PROVIDER }}
          create_credentials_file: true

      - name: Build and push Docker
        run: |
          gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
          cd docker_test
          docker build -t northamerica-northeast1-docker.pkg.dev/prj-d-perso-fleroux-4094/fleroux-docker/hello:latest .
          docker image push northamerica-northeast1-docker.pkg.dev/prj-d-perso-fleroux-4094/fleroux-docker/hello
        shell: bash

Additional information

No response

bharathkkb commented 2 years ago

Thanks for the report @fleroux514 I believe you will still need to gcloud auth configure-docker northamerica-northeast1-docker.pkg.dev for gcloud to configure docker config to use gcloud as a credentials helper.

Another alternative is to use the access_token from auth directly, bypassing the need for gcloud. Something like ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://northamerica-northeast1-docker.pkg.dev

fleroux514 commented 2 years ago

Thanks a lot @bharathkkb

gcloud auth configure-docker northamerica-northeast1-docker.pkg.dev did it