I have the following Github Actions script, and the JSON keyfile I am using here has owner privileges on the GCP project. I cannot push images to the GCP artifact docker repo.
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Authenticate to Google Cloud
uses: google-github-actions/[email protected]
with:
project_id: something-dev-tooling
credentials_json: '${{ secrets.GCP_JSON }}'
- name: Configure GCloud Auth provider with Docker
run: |
gcloud auth configure-docker australia-southeast1-docker.pkg.dev
- name: Build Tag & Push Container
run: |
tagname="${{github.ref_name}}"
docker build -t test-signup-api --target prod .
docker tag test-signup-api australia-southeast1-docker.pkg.dev/something-docker/test-signup-api:$tagname
docker push australia-southeast1-docker.pkg.dev/something-docker/test-signup-api:$tagname
This yields the following error:
Successfully tagged test-signup-api:latest The push refers to repository [australia-southeast1-docker.pkg.dev/something-docker/test-signup-api] 123f04c654be: Preparing 1d4281763c85: Preparing 4251fe09055f: Preparing a057xxef5483: Preparing c6323d11ce20: Preparing b4c1ae489097: Preparing 07d2d7aa362e: Preparing 7c1610cf2397: Preparing 16427a3bb904: Preparing 449a28044116: Preparing f11bbd657c82: Preparing b4c1ae489097: Waiting 07d2d7aa362e: Waiting 7c1610cf2397: Waiting 16427a3bb904: Waiting 449a28044116: Waiting f11bbd657c82: Waiting denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/something-docker/locations/australia-southeast1/repositories/test-signup-api" (or it may not exist)
Can anyone help?
CodePudding user response:
I am not sure if you just redacted the project_id with different names but at first glance, it looks like you are not tagging the Docker image with the correct project ID and hence it's trying to push to an inexistent project.
On your "Authenticate with gcloud" step, you have defined the project ID as:
project_id: something-dev-tooling
so change the docker tag to the correct project id, it would be:
docker tag test-signup-api australia-southeast1-docker.pkg.dev/something-dev-tooling/test-signup-api:$tagname
docker push australia-southeast1-docker.pkg.dev/something-dev-tooling/test-signup-api:$tagname
Now, if you are pushing to a different project ID (rather than the one you authenticated with gcloud) your Service Account will need to have the permissions cross project in order to push/download images from a different project.