gcloudgoogle-cloud-rungoogle-cloud-buildcloudbuild.yamlgoogle-artifact-registry

Cloudbuild can't access Artifacts Registery when building cloud run docker container


I'm using a package from Artifacts Registery in my cloud run nodejs container. When I try to gcloud builds submit I get the following error:

Step #1: npm ERR! 403 403 Forbidden - GET https://us-east4-npm.pkg.dev/....
Step #1: npm ERR! 403 In most cases, you or one of your dependencies are requesting
Step #1: npm ERR! 403 a package version that is forbidden by your security policy.

Here is my cloudbuild.yaml:

steps:
 - name: gcr.io/cloud-builders/npm
   args: ['run', 'artifactregistry-login']

 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/...', '.']
 
 - name: 'gcr.io/cloud-builders/docker'
   args: ['push', 'gcr.io/...']
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   entrypoint: gcloud
   args:
   - 'run'
   - 'deploy'
   - 'admin-api'
   - '--image'
   - 'gcr.io/...'
   - '--region'
   - 'us-east4'
   - '--allow-unauthenticated'
images:
 - 'gcr.io/....'

and Dockerfile

FROM node:14-slim

WORKDIR /usr/src/app

COPY --chown=node:node .npmrc ./

COPY package*.json ./


RUN npm install

COPY . ./

EXPOSE 8080

CMD [ "npm","run" ,"server" ]

.npmrc file:

@scope_xxx:registry=https://us-east4-npm.pkg.dev/project_xxx/repo_xxx/
//us-east4-npm.pkg.dev/project_xxx/repo_xxx/:always-auth=true

the google build service account already has the permission "Artifact Registry Reader"


Solution

  • The solution that worked with me can be found in this blog post:

    https://dev.to/brianburton/cloud-build-docker-and-artifact-registry-cicd-pipelines-with-private-packages-5ci2