Permission artifactregistry.repositories.uploadArtifacts denied on resource using github actions

Question

I am trying to push docker container to Artifact Registry on GCP but I got an error on step Push Docker Image to Artifact Registry

denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/PROJECT_ID/locations/asia-south1/repositories/images" (or it may not exist) Error: Process completed with exit code 1.

name: Build image and push to Artifact Registry of GCP
on: 
  push:
    branches: 
      - master
 
jobs:
  build-push-artifact:
    name : Build and push Artifact Registry
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.ACCOUNT_KEY }}'

    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'

    - name: 'Use gcloud CLI'
      run: 'gcloud info'

    - name: build Docker Image
      run: docker build -t MY_IMAGE:latest .
    
    - name: Configure Docker Client of Gcloud
      run:  |-
        gcloud auth configure-docker --quiet
        gcloud auth configure-docker asia-south1-docker.pkg.dev --quiet
    
    - name: Push Docker Image to Artifact Registry 
      env:
        GIT_TAG: v0.1.0
      run:  |-
        docker tag MY_IMAGE:latest asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:latest
        docker tag MY_IMAGE:latest asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:$GIT_TAG
        docker push asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:latest
        docker push asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:$GIT_TAG

I also added the Artifact Registry Write principal to repository with service email.Every other step execute successfully except last one. How can I fix it?

Answer 1

@Roman's response helped to fix the issue if I wanted to build/push the docker image from my local machine; however, it didn't help when doing the same from inside github actions. I had to add the following steps to the github actions workflow file to fix the Docker authentication issue with GAR: more here

- name: 'Login to GAR'
  uses: 'docker/login-action@v3'
  with:
    registry: ${{ env.REGION }}-docker.pkg.dev
    username: _json_key
    password: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY }}

Note: you need to replace the env/secret with your own of course.

Answer 2

In my case, I just go for the command without region

gcloud auth configure-docker

Answer 3

I'm not able to resolve the error even after following all the suggestions mentioned above:

1. Validated the IAM Permissions - Artifact Registry Writer & Service Account Token Creator

2. Github Workflow step works fine:

gcloud auth configure-docker europe-west2-docker.pkg.dev

3. Authentication is working fine in my local machine:

echo "$(gcloud auth print-access-token --impersonate-service-account SA@<PRJ_NAME>.iam.gserviceaccount.com)" | docker login -u oauth2accesstoken --password-stdin europe-west2-docker.pkg.dev

git_workflow.yml

name: CI
    
    on:
      push:
        branches:
          - main
    
    jobs:
      build:
        runs-on: ubuntu-latest
    
        permissions:
          id-token: write
          contents: read
    
        steps:
          - name: Checkout code
            uses: actions/checkout@v3
    
          - id: 'auth'
            name: 'Authenticate to Google Cloud'
            uses: 'google-github-actions/auth@v1'
            with:
              create_credentials_file: true
              workload_identity_provider: 'projects/<PRJ_ID>/locations/global/workloadIdentityPools/github/providers/<PRJ_NAME>'
              service_account: 'SA@<PRJ_NAME>.iam.gserviceaccount.com'
    
          - name: Set up Python
            uses: actions/setup-python@v2
            with:
              python-version: '3.8'
    
          - name: Install dbt
            run: |
              pip install dbt-bigquery
    
          - name: "Set up Cloud SDK"
            uses: google-github-actions/setup-gcloud@v1
    
          - name: "Use gcloud CLI"
            run: gcloud info
    
          - name: "Docker auth"
    run: |
     gcloud auth configure-docker europe-west2-docker.pkg.dev --quiet

  - name: Build image
    run: |
      pwd
      docker build . --file Dockerfile --tag europe-west2-docker.pkg.dev/<PRJ_NAME>/dbt/image:latest --build-arg PKG=autoflowx_dbt
    working-directory: ${{ github.workspace }}/autoflowx_dbt

  - name: Push image
    run: |
      echo "$(gcloud auth print-access-token --impersonate-service-account SA@<PRJ_NAME>.iam.gserviceaccount.com)" | docker login -u oauth2accesstoken --password-stdin europe-west2-docker.pkg.dev
      docker push europe-west2-docker.pkg.dev/<PRJ_NAME>/dbt/image:latest

Error

**docker push europe-west2-docker.pkg.dev/<PRJ_NAME>/dbt/image:latest**
ERROR: (gcloud.auth.docker-helper) There was a problem refreshing your current auth tokens: ('Unable to acquire impersonated credentials', '{\n  "error": {\n    "code": 403,\n    "message": "Permission \'iam.serviceAccounts.getAccessToken\' denied on resource (or it may not exist).",\n    "status": "PERMISSION_DENIED",\n    "details": [\n      {\n        "@type": "type.googleapis.com/google.rpc.ErrorInfo",\n        "reason": "IAM_PERMISSION_DENIED",\n        "domain": "iam.googleapis.com",\n        "metadata": {\n          "permission": "iam.serviceAccounts.getAccessToken"\n        }\n      }\n    ]\n  }\n}\n')
Please run:

  $ gcloud auth login

to obtain new credentials.

If you have already logged in with a different account, run:

  $ gcloud config set account ACCOUNT

to select an already authenticated account to use.

Answer 4

If you are using WSL2, are you sure you installed gcloud correctly, have the necessary permissions and are still having problems, follow these steps:

1. https://stackoverflow.com/a/62996950/13675512
2. Install gcloud cli
3. gcloud init
4. gcloud auth configure-docker us-central1-docker.pkg.dev (replace the region)

It works for me! ;)

Answer 5

I granted some permissions to ****@cloudbuild.gserviceaccount.com, i.e to cloud build service account that was provided by Google itself

Answer 6

The error indicates one of the following:

• The principal (GitHub Actions Service Account) does not have sufficient permissions (i.e. roles/artifactregistry.writer)
• or GHA isn't logged in into Docker

In order to ensure GHA is logged in into Google Artifact Registry, you can use docker/login-action@v3 that supports authentication with both Workload Identity Federation:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: <workload_identity_provider>
          service_account: <service_account>
      -
        name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: <location>-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

Answer 7

Finally this worked for me. I was also facing above issue for Artifact registry.

So before executing docker push, I did authentication. This step is not exactly mentioned in docs but this worked for me.

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev

Note:- change your region.

Answer 8

One more error scenario and how I fixed this error:

If you had installed docker via snap (on Ubuntu), this version of docker looks for config file at a different path and will not take config file updated by gcloud auth configure-docker... step which updates the docker config file at ~/.docker/config.json.

In my case, I uninstalled the snap version and re-installed docker via the helper scripts given on Docker website. Alternatively you can copy the updated config to the location where the snap's docker is installed.

Answer 9

If above solution by Roman didn't solve the issue, you should check the Roles assigned to the user through which you are trying to push the images to registry.

IAM Policy Troubleshooter can help in this, for example you can provide your User Email as Principal, Resource you wanna access (in this case the Registry), and the permission which is expected ('uploadArtifacts' in this case):

Answer 10

Ok, I spent a lot of time on this now and there are two possible solutions:

• Log into gcloud: gcloud auth login
• Configure docker: gcloud auth configure-docker europe-west1-docker.pkg.dev (make sure to specify appropriate region)

The second one did it for me.