google-cloud-platformgithub-actionsgoogle-artifact-registry

My gcp service account with "artifact registry admin" account was not able to push the docker image to repo

I have github action file as below:

name: CI
on:
  push:
    branches:
      - main
  pull_request:
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  dependencies:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-python@v4
        with:
          cache: pip
          python-version: "3.12"
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt

  deploy:
    needs: [dependencies]
    runs-on: ubuntu-latest
    if: |
      github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref == 'refs/heads/main')
    env:
      DOCKER_BUILDKIT: 1
    steps:
      - uses: actions/checkout@v4

      - name: Set up Google Cloud SDK
        uses: google-github-actions/setup-gcloud@v1
        with:
          project_id: my-project-123456
          service_account_key: ${{ secrets.GOOGLE_AUTHENTICATION_CREDENTIALS_JSON }}
          export_default_credentials: true  

      - name: Authorize Docker push
        run: gcloud auth configure-docker us-west1-docker.pkg.dev
        
      # Docker builder image
      - name: Build Builder with Cache
        id: build-with-cache
        continue-on-error: true
        run: >-
          docker build
          --build-arg BUILDKIT_INLINE_CACHE=1
          -f Dockerfile
          --cache-from ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}-builder:latest
          -t ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}-builder:latest
          --target builder
          .

      - name: Build Builder with Cache failed -> Build Builder without Cache
        if: ${{ steps.build-with-cache.outcome == 'failure' }}
        run: >-
          docker build
          -f Dockerfile
          -t ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}-builder:latest
          --target builder
          .

      # Docker runtime image
      - name: Build Runtime with Cache
        id: build-runtime-with-cache
        continue-on-error: true
        run: >-
          docker build
          --build-arg COLLECT_STATIC=1
          --build-arg BUILDKIT_INLINE_CACHE=1
          -f Dockerfile
          --cache-from ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}:latest
          -t ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}:${{ github.sha }}
          -t ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}:latest
          .

      - name: Build Runtime with Cache failed -> Build Runtime without Cache
        if: ${{ steps.build-runtime-with-cache.outcome == 'failure' }}
        run: >-
          docker build
          --build-arg COLLECT_STATIC=1
          -f Dockerfile
          -t ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}:${{ github.sha }}
          -t ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}:latest
          .

      - name: Push builder image to Artifact Registry
        run: docker push --all-tags ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}-builder

      - name: Push runtime image to Artifact Registry
        run: docker push --all-tags ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}

      - name: Deploy to Cloud Run
        uses: google-github-actions/deploy-cloudrun@v1
        with:
          service: ${{ secrets.CLOUD_RUN_NAME }}
          image: ${{ secrets.RUNTIME_DOCKERIMAGE_URL }}:${{ github.sha }}
          region: us-west1

When the github action runs, it failed at the step Push builder image to Artifact Registry with error below:

denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.uploadArtifacts" on resource "projects/***-123456/locations/us-west1/repositories/***-repo" (or it may not exist)

My service account does have "Artifact Registry Admin" role assigned. The github secret GOOGLE_AUTHENTICATION_CREDENTIALS_JSON value was copied from the service account's key json file. And my RUNTIME_DOCKERIMAGE_URL was set to

us-west1-docker.pkg.dev/my-project-123456/my-project-repo/my-project

Please help. Thanks.

Solution

  • As stated in Authenticating to a repository

    You must authenticate to repositories whenever you use Docker or another third-party client with a Docker repository. This section provides a quick summary of what you'll need to authenticate successfully. For detailed instructions, see Setting up authentication for Docker.

    gcloud CLI credential helper

    The gcloud CLI credential helper provides secure, short-lived access to your project resources. It configures Docker to authenticate to Artifact Registry hosts in any environment where the Google Cloud CLI is installed. Cloud Shell includes the Google Cloud CLI and a current version of Docker.

    The gcloud CLI credential helper is the simplest authentication method to set up. It configures Docker with the credentials of the active user or service account in your gcloud CLI session. Since this credential helper depends on gcloud CLI, it can be significantly slower than the standalone credential helper. For automated builds with third-party tools or Docker clients with a large number of configured registry hosts, use the standalone credential helper instead.

    To authenticate to Artifact Registry:

    1.Sign in to gcloud CLI as the user that will run Docker commands.

    • To configure authentication with user credentials, run the following command:
    gcloud auth login

    2.Run the following command:

     gcloud auth configure-docker us-west1-docker.pkg.dev

    You might also try below command as suggested in this thread1 and thread2

    gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev

    Note:- change your region.