Reputation: 300
Read from Google Container Registry using the API and Service Account JSON file
We've started migrating to Google Container Registry, from previously using our own in-house Docker Registry to host our images. As part of this, I'm creating an application that can query the available tags in the registry and return the list of results. For a public registry, this is trivial. I simply send a HTTP request to the API, demonstrated here with curl:
curl https://example.docker.registry/v2/myapp/tags/list
And this works from the command line with GCR too, as long as I authenticate first:
curl -u "oauth2accesstoken:`gcloud auth print-access-token`" https://eu.gcr.io/v2/myproject/myapp/tags/list
I want to do exactly this programmatically, and I've followed one of the many Google pages on creating a GCP service account key such as this one: https://cloud.google.com/iam/docs/creating-managing-service-account-keys
I've now got a service account that I've given the requisite permissions, and I've got a JSON key file for that service account. But all the instructions I can find online tell me how to use this with gcloud or docker installed. Even the steps that use client libraries are so weak on documentation and explanations that I can't make headway.
My application doesn't need the complexity of extra tools, I just want to send a HTTP request in the same way I do with the public registry. I expect that the JSON access key file contains all the pieces I need, even if there is a ritual exchange with Google first. I can't find any info on how to use the contents though. Is this documented anywhere?
Upvotes: 2
Views: 1860
Answers (2)
Reputation: 3881
I realize this question is a bit older but since it came up in my own search on the topic, I want to provide an answer here for how I managed to solve it.
I have created a whole Python application to inspect tags so you may also be interested in that but I will try to describe the relevant parts here.
In my tests the GCR API accepted a Bearer token (as could be provided by the command gcloud auth print-access-token) for all of my calls. However, it is possible and that is what I have chosen, to get another short-lived access token specifically from the GCR API. Curiously, even though the Www-Authenticate challenge coming from the GCR API wants a Bearer token, you can also use Basic authentication to retrieve an access token. You also need to provide the scope and service as query parameters. So taking everything together, you would make a request corresponding to the following curl call:
curl --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
--header "Authorization: Bearer <token>" \
https://gcr.io/v2/token?scope=repository:<myorg>/<myimage>:pull&service=gcr.io
or the Basic authentication version with -u <name>:<password>. The JSON response contains a "token" key whose value you can store and use for all the following requests.
You get the list of tags in a similar way using the new access-token:
curl --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
--header "Authorization: Bearer <access-token>" \
https://gcr.io/v2/<myorg>/<myimage>/tags/list
Please note that the response may be paginated.
When I run my Python program to inspect tags, I simply pass it the OAuth2 token via standard in, e.g.,
gcloud auth print-access-token | tag-spy ...
I found most of my questions answered in this blog post so kudos to the author.
P.S.: You can also set an encoding header which can help with the large JSON responses (Accept-Encoding: gzip, deflate).
Upvotes: 0
Reputation: 81356
My application doesn't need the complexity of extra tools, I just want to send a HTTP request in the same way I do with the public registry. I expect that the JSON access key file contains all the pieces I need, even if there is a ritual exchange with Google first. I can't find any info on how to use the contents though. Is this documented anywhere?
The steps to go from service account JSON file to OAuth Access Token is not really documented by Google in any one place. The issue is that OAuth is very broad and there are many features and implementation details. We learned how to do this by studying the source code in the libraries.
I wrote an article that covers this in detail and includes working Python code. This article includes an example of making REST API calls. Other articles on my site also include examples to make REST API calls with OAuth Access Tokens.
Google Cloud – Creating OAuth Access Tokens for REST API Calls
The process seems complicated at first glance but is very easy to understand once you get your hands around everything.
My article covers how to do the following steps to go from JSON to OAuth Token to REST API.
- How to load service account credentials from a Json file.
- How to extract the Private Key used to sign requests.
- How to create a JWT (Json Web Token) for Google Oauth 2.0.
- How to set the Google Scopes (permissions).
- How to sign a JWT to create a Signed-JWT (JWS).
- How to exchange the Signed-JWT for a Google OAuth 2.0 Access Token.
- How to set the expiration time. This program defaults to 3600 seconds (1 Hour).
- How to call a Google API and set the Authorization Header.
Upvotes: 1
Related Questions
- Access to Google Cloud registry in Docker file
- How can i add GCP > Container Registry auth key to Docker config.json?
- Google Container Registry permission
- Unable to access private container registry from gcloud compute VM
- What is the gcloud API for the Google Container Registry
- Unable to pull from GCR registry using docker engine-api and long lived JSON file
- Docker google container registry
- Cannot access Google Container Registry from Google Compute Engine
- how to use Google Container Registry
- How to do use Google Container Registry with the docker CLI