CODEWITHSUNDEEP
javamavengoogle-cloud-platformgoogle-cloud-functionsgoogle-cloud-registry
Jackie
Jackie

Reputation: 23527

Why is Maven getting 403 when trying to push cloud function pointing at Cloud Registry?

I have a simple cloud function that relies on a jar published in Artifact registry. I have confirmed the default App Engine default service account has Artifact Registry Reader. Then I add the registries into Maven like this...

<distributionManagement>
    <repository>
        <id>artifact-registry-release</id>
        <url>artifactregistry://us-central1-maven.pkg.dev/.../...</url>
    </repository>

    <snapshotRepository>
        <id>artifact-registry</id>
        <url>artifactregistry://us-central1-maven.pkg.dev/.../...</url>
    </snapshotRepository>
</distributionManagement>
<repositories>
    <repository>
        <id>artifact-registry-release</id>
        <url>artifactregistry://us-central1-maven.pkg.dev/.../...</url>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
    <repository>
        <id>artifact-registry</id>
        <url>artifactregistry://us-central1-maven.pkg.dev/.../...</url>
        <releases>
            <enabled>false</enabled>
        </releases>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </repository>
</repositories>

But when I try to push the cloud function I get...

Permission denied on remote repository (or it may not exist). 403 Forbidden

Is it not using the App Engine account? What is the proper SA to add permissions to get it to work?

Also it may be a red herring because the full message is...

Failed to execute goal on project ...: Could not resolve dependencies for project ...identity:...:jar:0.0.1-SNAPSHOT: Failed to collect dependencies at ...identity:...:jar:0.0.1-SNAPSHOT: Failed to read artifact descriptor for ...identity:...:jar:0.0.1-SNAPSHOT: Could not transfer artifact ...:...:pom:0.0.1-SNAPSHOT from/to artifact-registry (artifactregistry://us-central1-maven.pkg.dev/.../...): Permission denied on remote repository (or it may not exist). 403 Forbidden
[ERROR] {"error":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/pure-infra/locations/us-central1/repositories/..." (or it may not exist)"}

Notice the pom instead of jar

Also everything seems to work locally (my user also has read permissions) when I run mvn -U clean install

Upvotes: 0

Views: 343

Answers (1)

Jackie
Jackie

Reputation: 23527

In my case I needed to add permissions for the Compute Engine default service account instead of the App engine one.

Upvotes: 2

Related Questions