search

google / go-containerregistry

Go library and CLIs for working with container registries
Apache License 2.0
3.08k stars 537 forks source link

crane: fails to load URL-sourced environment credentials #1886

Closed joaodrp closed 2 months ago

joaodrp commented 6 months ago

Describe the bug

I'm testing a workload identity federation setup from GitLab. crane seems to fail to identity environment credentials while the gcloud CLI succeeds. This behaviour seems to go against what was described in https://github.com/google/go-containerregistry/issues/1496#issuecomment-1329578823.

I'm setting both CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE and GOOGLE_APPLICATION_CREDENTIALS environment variables to the path of a JSON file with the following content:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/604150606412/locations/global/workloadIdentityPools/issue-reproduce/providers/issue-reproduce",
  "token_url": "https://sts.googleapis.com/v1/token",
  "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
  "credential_source": {
    "url": "https://auth.gcp.gitlab.com/token",
    "headers": {
      "Authorization": "Bearer TRUNCATED"
    },
    "format": {
      "type": "json",
      "subject_token_field_name": "token"
    }
  }
}

I then try to list artifacts in an Artifact Registry repository, and crane returns the error No matching credentials were found for "us-east1-docker.pkg.dev". However, doing the same with gcloud works just fine.

The only way I got this to work with crane was to use docker-credential-gcr or gcloud auth configure-docker to configure auth.

So it seems that crane fails to identity the environment credentials, and the only fallback that works is the Docker config (if any).

To Reproduce

This is based on an experimental GitLab feature that is not yet released. I can give access to a maintainer from Google for debug purposes if needed.

Expected behavior

crane is able to identify and use environment credentials.

Additional context

Here are some logs. I'm using the latest (v0.19.0) version of crane.

crane 🔴

crane-nok.log

gcloud 🟢

gcloud-ok.log

crane + docker config 🟢

crane-ok.log

Local test 🔴 🟢

I get the exact same result (crane does not work, gcloud does) when running this locally.

local.log

github-actions[bot] commented 3 months ago

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.