Reputation: 317
Getting 403 Forbidden from Artifact Registry While Deploying a Cloud Function
What I Want to Do
I have published my private npm package onto Artifact Registry, and the diagram below is what I'm trying to do.
Basically I want to use the private package from both project-staging and project-production. So my package.json looks something like:
"dependencies": {
"@<scope>/private_package": "^1.0.0",
},
What I Did
Giving Permission to Cloud Build Service Account
I gave artifactregistry.reader permission to both <project-staging_id>@cloudbuild.gserviceaccount.com and <project-production_id>@cloudbuild.gserviceaccount.com under IAM menu in project-common.
.npmrc Preparation
cd path/to/project_directory
gcloud artifacts print-settings npm \
--project=project-common \
--repository=private_package \
--location=<location> \
--scope=@<scope>
vim .npmrc
# => add the output of above gcloud command
npx google-artifactregistry-auth .npmrc
deploy
gcloud config configurations activate project-staging
gcloud functions deploy <function_name> --gen2 --region=<region> --trigger-http --runtime=nodejs16 --entry-point=<entry_point>
This gives me the following error.
ERROR: (gcloud.functions.deploy) OperationError: code=3, message=Build failed with status: FAILURE and message: npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://<URL>.tgz - Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "<resource_name>" (or it may not exist)
I don't know why I'm getting this even though
<project-staging_id>@cloudbuild.gserviceaccount.com has artifactregistry.reader permission.
Is there anything else I should do?
Upvotes: 1
Views: 2806
Answers (2)
Reputation: 317
This was because I had added .npmrc to .gcloudignore. Removing .npmrc from .gcloudignore made it work. Silly mistake.
I'm going to try Automate and protect your Cloud Function as a next step, but for now my problem has been solved :)
Upvotes: 0
Reputation: 6572
Normally the role roles/artifactregistry.reader is sufficient to download packages from the repo on project_common.
If project_staging and project_production have the roles/artifactregistry.reader on project_common it should work.
The roles/artifactregistry.reader role contains the following permissions :
artifactregistry.repositories.list
artifactregistry.repositories.get
artifactregistry.repositories.downloadArtifacts
artifactregistry.files.list
artifactregistry.files.get
artifactregistry.packages.list
artifactregistry.packages.listTagBindings
artifactregistry.repositories.listEffectiveTags
artifactregistry.packages.list
artifactregistry.tags.list
artifactregistry.tags.get
artifactregistry.versions.list
artifactregistry.versions.get
artifactregistry.locations.list
artifactregistry.locations.get
Please check again your configuration and the identity that performs the failed action.
Upvotes: 1
Related Questions
- Firebase deploy functions - HTTP Error 403
- 403 Response from Google Cloud Functions
- unable to npm publish new package to artifact registry even though my logged in user as Owner access
- Unable to Deploy Cloud Functions - Permission denied to enable service [artifactregistry.googleapis.com]
- ERROR: (gcloud.functions.deploy) ResponseError: status=[403], code=[Forbidden]
- Why is Maven getting 403 when trying to push cloud function pointing at Cloud Registry?
- Failing to deploy Function : "artifactregistry.repositories.downloadArtifacts" denied but service account has policy granted
- gcloud throws PERMISSION_DENIED when I try to deploy endpoint configuration
- Endpoint for Cloud Function returns 403 Forbidden
- Google Cloud Functions - Repository deployment - Reading Setting File