CODEWITHSUNDEEP
google-cloud-platformgithub-actionsgoogle-artifact-registry
Serkox
Serkox

Reputation: 11

How to push a docker image to the artifact registry from a github workflow

I am trying to build and push a Maven app as a Docker image to artifact registry during github workflow, but I get an error on the step Push the docker image to Artifact Registry

denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/***/locations/europe-west9/repositories/docker" (or it may not exist)

My workflow:

name: Build and deploy to GKE

on:
  push:
    branches: [infra/deployment-gke]

env:
  PROJECT_ID: ${{secrets.GCP_PROJECT_ID}}
  REGION: europe-west9
  CLUSTER: app-01
  DEPLOYMENT_NAME: app-api
  REPOSITORY: docker
  IMAGE: app-api

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    name: Setup, Build, Publish and Deploy
    environment: dev
    steps:

      - name: Checkout
        uses: actions/checkout@v3

      - name: Authenticate to Google Cloud
        id: auth
        uses: 'google-github-actions/auth@v0'
        with:
          credentials_json: '${{ secrets.KEY}}'
          token_format: 'access_token'

      - name: Docker configuration
        run: |-
          echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://$REGION-docker.pkg.dev
      - name: Set up GKE credentials
        uses: google-github-actions/get-gke-credentials@v0
        with:
          cluster_name: ${{ env.CLUSTER }}
          location: europe-west9

      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'zulu'
          cache: maven

      - name: Build with maven
        run: mvn clean package -pl ./app-api -am


      - name: Build the docker image
        run: |-
          docker build ./app-api --no-cache --progress=plain \
            --tag "$REGION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA" \
            --build-arg GITHUB_SHA="$GITHUB_SHA" \
            --build-arg GITHUB_REF="$GITHUB_REF"
      - name: Push the docker image to Artifact Registry
        run: |-
          docker push "$REGION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA"

My service account has permission artifactregistry.repositories.uploadArtifacts with role Artifact Registry Writer

Every other step executes successfully except last one. How can I fix it?

Upvotes: 1

Views: 1806

Answers (1)

Sinaesthetic
Sinaesthetic

Reputation: 12192

I think the auth action goes through all the process of authorizing the runner, but the way google auth typically works is by having a json key on the file system and then referencing an environment variable which points to the key, and that allows the SDK to authorize with each request.

The action appears to do all of this and then exports the environment variable, but with the way GHA works, it doesn't automatically become available in subsequent steps.

Try re-adding the environment variable to your push step which worked for me:

env:
  GOOGLE_APPLICATION_CREDENTIALS: ${{ env.GOOGLE_APPLICATION_CREDENTIALS }}

Upvotes: 0

Related Questions