above error lead me to confusion. so i need your help. please help me
the technical environment used is as follows:
artifact registry, github actions
i adjust ocip method for permission since credential key method not used. google.yml file for github action is like that
name: "Build and Push to Artifact Registry"
on:
push:
branches:
- "main"
- "qa"
env: # Define static environment variables here
PROJECT_ID: "${{ secrets.PROJECT_ID }}"
GAR_LOCATION: "${{ secrets.GAR_LOCATION }}"
REPOSITORY: "${{ secrets.REPOSITORY }}"
WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}"
GCP_SA_KEY: "${{ secrets.GCP_SA_KEY }}"
SERVICE_ACCOUNT: "${{ secrets.GCP_SA_KEY }}"
IMAGE: "static-site"
ACTIONS_STEP_DEBUG: true
jobs:
setup-build-publish:
name: "Setup, Build, and Publish to Artifact Registry"
runs-on: "ubuntu-latest"
environment: "qa"
permissions:
contents: "read"
id-token: "write"
steps:
- name: "Checkout"
uses: "actions/checkout@v4" # actions/checkout@v4
# Configure Workload Identity Federation and generate an access token.
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2" # google-github-actions/auth@v2
with:
workload_identity_provider: "${{ env.WORKLOAD_IDENTITY_PROVIDER }}"
# project_id: "${{ env.PROJECT_ID }}"
# service_account: "${{ env.SERVICE_ACCOUNT }}"
# Authenticate Docker to Google Cloud Artifact Registry
- name: "Docker Auth"
uses: "docker/login-action@v3" # docker/login-action@v3
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.auth_token }}"
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"
# Build the Docker image
- name: "Build and push Docker container"
run: |-
DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}"
docker build \
--file api/Dockerfile \
--tag "${DOCKER_TAG}" \
--build-arg GITHUB_SHA="${GITHUB_SHA}" \
--build-arg GITHUB_REF="${GITHUB_REF}" \
./api
docker push "${DOCKER_TAG}"
when i execute build, gcp auth and docker auth succeed.
docker push error occured
error message:
denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/***/locations/***/repositories/***"
i granted roles/artifactregistry.admin to service account and repository. grant command:
gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT \
--role="roles/iam.serviceAccountTokenCreator" \
--member="serviceAccount:$SERVICE_ACCOUNT"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/artifactregistry.admin"
gcloud artifacts repositories add-iam-policy-binding $REPOSITORY_NAME \
--location=$LOCAL \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/artifactregistry.admin"
but error occured........ no!!!! i spent time about 3 days!!!!
should i check or am i missing something?
i want to push docker image to artifact registry
above error lead me to confusion. so i need your help. please help me
the technical environment used is as follows:
artifact registry, github actions
i adjust ocip method for permission since credential key method not used. google.yml file for github action is like that
name: "Build and Push to Artifact Registry"
on:
push:
branches:
- "main"
- "qa"
env: # Define static environment variables here
PROJECT_ID: "${{ secrets.PROJECT_ID }}"
GAR_LOCATION: "${{ secrets.GAR_LOCATION }}"
REPOSITORY: "${{ secrets.REPOSITORY }}"
WORKLOAD_IDENTITY_PROVIDER: "${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}"
GCP_SA_KEY: "${{ secrets.GCP_SA_KEY }}"
SERVICE_ACCOUNT: "${{ secrets.GCP_SA_KEY }}"
IMAGE: "static-site"
ACTIONS_STEP_DEBUG: true
jobs:
setup-build-publish:
name: "Setup, Build, and Publish to Artifact Registry"
runs-on: "ubuntu-latest"
environment: "qa"
permissions:
contents: "read"
id-token: "write"
steps:
- name: "Checkout"
uses: "actions/checkout@v4" # actions/checkout@v4
# Configure Workload Identity Federation and generate an access token.
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2" # google-github-actions/auth@v2
with:
workload_identity_provider: "${{ env.WORKLOAD_IDENTITY_PROVIDER }}"
# project_id: "${{ env.PROJECT_ID }}"
# service_account: "${{ env.SERVICE_ACCOUNT }}"
# Authenticate Docker to Google Cloud Artifact Registry
- name: "Docker Auth"
uses: "docker/login-action@v3" # docker/login-action@v3
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.auth_token }}"
registry: "${{ env.GAR_LOCATION }}-docker.pkg.dev"
# Build the Docker image
- name: "Build and push Docker container"
run: |-
DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}"
docker build \
--file api/Dockerfile \
--tag "${DOCKER_TAG}" \
--build-arg GITHUB_SHA="${GITHUB_SHA}" \
--build-arg GITHUB_REF="${GITHUB_REF}" \
./api
docker push "${DOCKER_TAG}"
when i execute build, gcp auth and docker auth succeed.
docker push error occured
error message:
denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/***/locations/***/repositories/***"
i granted roles/artifactregistry.admin to service account and repository. grant command:
gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT \
--role="roles/iam.serviceAccountTokenCreator" \
--member="serviceAccount:$SERVICE_ACCOUNT"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/artifactregistry.admin"
gcloud artifacts repositories add-iam-policy-binding $REPOSITORY_NAME \
--location=$LOCAL \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role="roles/artifactregistry.admin"
but error occured........ no!!!! i spent time about 3 days!!!!
should i check or am i missing something?
i want to push docker image to artifact registry
Share Improve this question asked Jan 20 at 0:43 노정우노정우 1 1 |1 Answer
Reset to default 0In my (limited) experience, it's easier to debug by checking with a known-working example.
I was able to get this working; it's tedious but it's consistent.
Here are some hopefully useful hints.
In what follow ${VAR} refers to a Bash script using the environment variable whereas {VAR} (without the prefixing $) is used in output to indicate the variable's value's use (in an attempt to make it easier to match these up).
Environment:
PROJECT="..."
NUMBER=$(\
gcloud projects describe ${PROJECT} \
--format="value(projectNumber)")
TOKEN="ghp_..." # GitHub token
OWNER="..." # https://github.com/${OWNER}/${REPO}
REPO="..."
ACCOUNT="..." # Service Account
EMAIL="${ACCOUNT}@${PROJECT}.iam.gserviceaccount.com"
POOL="projects/{NUMBER}/locations/global/workloadIdentityPools/github"
PROVIDER="${POOL}/providers/my-repo"
For OWNER_ID and REPO_ID:
curl \
--silent \
--location \
--header "Accept: application/json" \
--header "Authorization: Bearer ${TOKEN}" \
https://api.github.com/repos/${OWNER}/${REPO} \
| jq -r '{"owner_id":.owner.id,"repo_id":.id}'
gcloud iam workload-identity-pools describe ${POOL} \
--project="${PROJECT}" \
--location="global"
displayName: GitHub Actions Pool
name: projects/{NUMBER}/locations/global/workloadIdentityPools/github
state: ACTIVE
gcloud iam workload-identity-pools providers describe ${PROVIDER} \
--project="${PROJECT}" \
--location="global" \
--workload-identity-pool=${POOL}
Replace OWNER_ID and REPO_ID per above.
attributeCondition: assertion.repository_owner_id == "{OWNER_ID}" && assertion.repository_id=="{REPO_ID}"
attributeMapping:
attribute.actor: assertion.actor
attribute.repository: assertion.repository
attribute.repository_owner: assertion.repository_owner
google.subject: assertion.sub
displayName: My GitHub repo Provider
name: {PROVIDER}
oidc:
issuerUri: https://token.actions.githubusercontent.com
state: ACTIVE
gcloud projects get-iam-policy ${PROJECT}
bindings:
- members:
- serviceAccount:{EMAIL}
role: roles/artifactregistry.admin
- members:
- serviceAccount:service-${NUMBER}@gcp-sa-artifactregistry.iam.gserviceaccount.com
role: roles/artifactregistry.serviceAgent
- members:
- serviceAccount:{EMAIL}
role: roles/iam.serviceAccountTokenCreator
- members:
- user:[email protected]
role: roles/owner
version: 1
gcloud iam service-accounts get-iam-policy ${EMAIL}
bindings:
- members:
- principalSet://iam.googleapis.com/{POOL}/attribute.repository/{OWNER}/{REPO}
role: roles/iam.workloadIdentityUser
etag: BwYsKGd_npg=
version: 1
NOTE the principalSet uses {OWNER}/{REPO}
And e.g. build.yaml:
name: Test
on:
workflow_dispatch:
permissions:
contents: read
id-token: write
env:
PROJECT: "${{ secrets.PROJECT_ID }}"
REGION: "${{ secrets.REGION }}"
REPOSITORY: "${{ secrets.REPOSITORY }}"
IMAGE: "${{ secrets.IMAGE }}"
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4
# Very useful for debugging claims
- name: oidc-debugger
uses: github/actions-oidc-debugger@main
with:
# Replace `{PROVIDER}` with your value
audience: https://iam.googleapis.com/{PROVIDER}
# Outputs `access_token`
- name: auth
id: auth
uses: google-github-actions/auth@v2
with:
# Replace `{PROVIDER}` with your value
workload_identity_provider: {PROVIDER}
# Replace `{EMAIL}` with your value
service_account: {EMAIL}
create_credentials_file: true
token_format: access_token
# Consumes `access_token`
- name: "Docker Auth"
uses: "docker/login-action@v3"
with:
username: "oauth2accesstoken"
password: "${{ steps.auth.outputs.access_token }}"
registry: "${{ env.REGION }}-docker.pkg.dev"
- name: "Build and push Docker container"
run: |-
TAG="${REGION}-docker.pkg.dev/${PROJECT}/${REPOSITORY}/${IMAGE}:${{ github.sha }}"
echo ${TAG}
docker build \
--file=${PWD}/Dockerfile \
--tag=${TAG} \
${PWD}
docker push ${TAG}
NOTE
steps.auth.outputs.access_token
oidc-debuggerbeforeauthto document the claims. This is a good debugging step. These questions are notoriously difficult to debug because there's so much complexity in the configuration :-( – DazWilkin Commented Jan 20 at 20:11