E

Issues with Google Artifact Registry Login

Summary

The user is transitioning from GitHub Container Registry to Google Artifact Registry (GAR) and is experiencing issues with logging in from an Earthfile. They are looking for the correct authentication method for GAR, as the standard docker login does not work. Despite trying to authenticate with the Google Cloud SDK, they are unable to push images to GAR. The user has encountered errors when passing JSON credentials directly, so they encoded the credentials in base64 and shared a code snippet of their method. They express a need for professional guidance and plan to discuss the issue in a meeting later that day.

Status
resolved
Tags
  • Google Artifact
  • Authentication
  • Earthfile
  • Google Artifact Registry
  • GitHub Container Registry
  • Google Cloud SDK
Source
#earthly
    j

    jw

    7/30/2024

    Still no dice. <@U035VU5K46Q> <@U01EDDAJGFK> - we are meeting later today anyway so let’s talk about it then, but this is precisely why I need professional guidance :pray:

    j

    jw

    7/30/2024

    Yep, already tried that as well. You cannot pass the json directly because the format will trigger some errors. I had to encode it in base64, with something like:

            run: |
              echo "GCLOUD_CREDENTIALS_FILE=$(jq -c . "${{ steps.gauth.outputs.credentials_file_path }}" | base64)" &gt;&gt; $GITHUB_ENV```
    then call earthly:
    ```earthly --secret GCLOUD_CREDENTIALS_JSON=$GCLOUD_CREDENTIALS_FILE blah blah ```
    Inside the Earthfile,
    ```    RUN echo "hello"
        RUN --secret GCLOUD_CREDENTIALS_JSON echo "$GCLOUD_CREDENTIALS_JSON" | base64 --decode &gt; /tmp/decoded_credentials.json
        RUN --secret GCLOUD_CREDENTIALS_JSON gcloud auth activate-service-account --key-file /tmp/decoded_credentials.json
        RUN rm /tmp/decoded_credentials.json```
    
    n

    nacho

    7/30/2024

    > The article is not very specific though - how do I get access to key.json from within Earthly? Hi Jiuguang, you could pass your key.json though a https://docs.earthly.dev/docs/guides/secrets|secret. Something like: RUN --secret=GCP_KEY echo $GCP_KEY &gt; /test/key.json

    n

    nacho

    7/30/2024

    > The article is not very specific though - how do I get access to key.json from within Earthly? > RUN --secret=GCP_KEY=gcp/ci-cd-key \ &gt; echo $GCP_KEY &gt; key.json &gt; &gt; RUN gcloud auth activate-service-account --key-file /test/key.json >

    n

    nacho

    7/29/2024

    Hi Jiuguang, let me TAL, and I will come back to you

    j

    jw

    7/29/2024

    The article mentions (in the IAM section), this line: ```RUN gcloud auth activate-service-account --key-file /test/key.json``` The article is not very specific though - how do I get access tokey.json` from within Earthly?

    j

    jw

    7/29/2024

    But Earthly at the very end cannot push the image to GAR

    j

    jw

    7/29/2024

    Unfortunately this didn’t work. I’m doing something like:

            id: gauth
            uses: 'google-github-actions/auth@v2'
            with:
              workload_identity_provider: ${{ vars.GOOGLE_WORKLOAD_IDENTITY_PROVIDER }}
              service_account: ${{ vars.GOOGLE_DEFAULT_CI_SERVICE_ACCOUNT }}
              create_credentials_file: true
    
          - name: Set up Google Cloud SDK
            uses: 'google-github-actions/setup-gcloud@v2'
    
          - name: Save gcloud service account credentials
            run: |
              gcloud auth configure-docker us-docker.pkg.dev
    
          - name: Build and Push amd64 Docker
            run: |
              earthly --allow-privileged --ci --push --secret GITHUB_TOKEN=${{ secrets.PAT_SECRET }} \
                 +build-dmm-docker-amd64 \
                 --DOCKER_METADATA_TAG=${{ needs.extract_docker_image_tag.outputs.tag }}```
    
    b

    brandon

    7/24/2024

    Hi <@U062TUKQURM> authentication with registries usually involves a docker login on the host, then earthly automatically passes the credentials through to the build. We also have a doc here on using Google Artifact Registry with Earthly: https://docs.earthly.dev/docs/guides/configuring-registries/gcp-artifact-registry

    Does that help?

    j

    jw

    7/22/2024

    I’m not sure what is the recommended way for GAR and would appreciate guidance. Thanks!

    j

    jw

    7/22/2024

    For example, to authenticate with GHCR, I am passing in the Github PAT token. For example,

                +build-dmm-docker-arm64```
    Inside the Earthfile, I have:
    ```RUN --secret GITHUB_TOKEN echo "machine <http://github.com|github.com> login $GITHUB_TOKEN" &gt; $HOME/.netrc```
    
    j

    jw

    7/22/2024

    My Earthfile is generating a Docker image, that I would like to publish to Github Container Registry and Google Artifacts Registry simultaneously. We used GHCR for a while and it works fine, but we are trying to switch to GAR. I have something like:

        FROM +blah
        ARG DOCKER_METADATA_TAG=default-tag
    
        SAVE IMAGE --push <http://ghcr.io/blah/dmm_amd64:$DOCKER_METADATA_TAG|ghcr.io/blah/dmm_amd64:$DOCKER_METADATA_TAG>
        SAVE IMAGE --push us-docker.pkg.dev/blah/starfish/dmm_amd64:$DOCKER_METADATA_TAG```
    Is there an example of how I can log into GAR from within the Earthfile?
    For example, to authenticate with GHCR, I am passing in the Github PAT token. For example,
    ```earthly --allow-privileged --ci --push --secret GITHUB_TOKEN=${{ secrets.PAT_SECRET }} \
                +build-dmm-docker-arm64```
    Inside the Earthfile, I have:
    ```RUN --secret GITHUB_TOKEN echo "machine <http://github.com|github.com> login $GITHUB_TOKEN" &gt; $HOME/.netrc```