Cloudbuild can't access Artifacts Registery when building cloud run docker container

Question

I'm using a package from Artifacts Registery in my cloud run nodejs container. When I try to gcloud builds submit I get the following error:

Step #1: npm ERR! 403 403 Forbidden - GET https://us-east4-npm.pkg.dev/....
Step #1: npm ERR! 403 In most cases, you or one of your dependencies are requesting
Step #1: npm ERR! 403 a package version that is forbidden by your security policy.

Here is my cloudbuild.yaml:

steps:
 - name: gcr.io/cloud-builders/npm
   args: ['run', 'artifactregistry-login']

 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/...', '.']
 
 - name: 'gcr.io/cloud-builders/docker'
   args: ['push', 'gcr.io/...']
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   entrypoint: gcloud
   args:
   - 'run'
   - 'deploy'
   - 'admin-api'
   - '--image'
   - 'gcr.io/...'
   - '--region'
   - 'us-east4'
   - '--allow-unauthenticated'
images:
 - 'gcr.io/....'

and Dockerfile

FROM node:14-slim

WORKDIR /usr/src/app

COPY --chown=node:node .npmrc ./

COPY package*.json ./


RUN npm install

COPY . ./

EXPOSE 8080

CMD [ "npm","run" ,"server" ]

.npmrc file:

@scope_xxx:registry=https://us-east4-npm.pkg.dev/project_xxx/repo_xxx/
//us-east4-npm.pkg.dev/project_xxx/repo_xxx/:always-auth=true

the google build service account already has the permission "Artifact Registry Reader"

Answer 1

I had the same 403 error. Although my setup is similar to @AmmAr's, it required a different solution.

Disclaimer: The GCP 403 error message is vague, leading to different solutions for different setups. Unfortunately, you need to chip away and eliminate all possibilities.

Comparing to @AmmArr setup above, the changes I made :-

1. In my package.json, I added to "scripts" :{...} property

   "artifactregistry-login": "npx google-artifactregistry-auth",
   "artifactregistry-auth-npmrc": "npx google-artifactregistry-auth .npmrc"
   

2. In cloudbuild.yaml, I added two steps before the docker build step. My changes append an access token to .npmrc. This enabled Cloudbuild to authenticate with the Artifact Registry, resolving my 403 issue.

steps:
  - name: gcr.io/cloud-builders/npm          #step added
    args: ['run', 'artifactregistry-login']
  - name: gcr.io/cloud-builders/npm          #step added
    args: ['run', 'artifactregistry-auth-npmrc']
  - name: gcr.io/cloud-builders/docker
    args: ['build', '-t', 'gcr.io/...', '.']
 # next steps in your process...

3. Final change to tie this all together. In the Dockerfile ensures that the .npmrc file is copied to the container before the package.json file.

     COPY .npmrc ./   # this must go first
   
     COPY package*.json ./
   

4. Now run it and see if it gets past the build step where it pulls the npm module from the Artifact Registry.

Reference - Screenshot of my cloud build config

Answer 2

The solution that worked with me can be found in this blog post:

https://dev.to/brianburton/cloud-build-docker-and-artifact-registry-cicd-pipelines-with-private-packages-5ci2

Answer 3

You have to connect the CloudBuild network in your docker build command. Like that

 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/...', '--network=cloudbuild', '.']