Reputation: 133
Access Google Artifact repository image from onprem K8S using Workload Identity Federation
I have set up K3S cluster (some bare metal k8s cluster) on my laptop. I am planning to setup Workload identity federation between this cluster and my GCP Artifact repository , so I will be able to pull images successfully onto my onprem cluster.
First, I have followed this documentation https://cloud.google.com/iam/docs/workload-identity-federation-with-kubernetes#kubernetes_1 and able to execute till end, got the token printed. So the configuration is successful.
As a next step, I have simply made change to image in the pod.yaml example and provided Artifact repository Reader access to the service account set in the above above example. When I delete the pod and applied the yaml file again, container fails.
failed to authorize, failed to fetch anonymous token: unexecuted status from GET request to https://us-west-docker.pkg.dev/v2/token? xxxxxxxxxxxx
Image exists in GAR and the version are correct, I am able to pull the same image with version mentioned using docker on my laptop.
Can you please let me know what else am I missing to download an image from GAR using workload identity federation ?
Thanks Sri
Upvotes: 0
Views: 697
Answers (1)
Reputation: 2323
The error failed to authorize, failed to fetch anonymous token might be occurring because the access token is a short-lived token to authenticate with Artifact Registry. Since the token is valid for 60 minutes, you should request it less than an hour before you use it to connect with Artifact Registry. Also check for the below troubleshooting steps:
- Check Workload Identity Federation: You must enable Workload Identity Federation for GKE on clusters and node pools using the Cloud CLI or Cloud console. Workload identity federation for GKE must be enabled at the cluster level before you can enable WIF for GKE on node pools.
To enable workload identity federation for GKE on an existing cluster, run the command:
gcloud container clusters update CLUSTER\_NAME --region=COMPUTE\_REGION --workload-pool=PROJECT\_ID.svc.id.goog
Authentication: If you are configuring Docker to authenticate to the Artifact Registry Docker repositories, Docker requires privileged access to interact with registries. If you are using Linux or Windows VM, add the user to run Docker commands to the Docker security group. For Linux command is
sudo usermod -a -G docker ${USER}
Refer to the documentation for Windows and MacOS machines.
If you're using service account keys, try to use an access token to reduce the risk of unauthorized access to your artifacts.
Check for the third-party clients like Docker which need to configure both permissions and authentication.
EDIT:
Even though you are not using GKE, you still need to enable WIF for your on-prem Kubernetes cluster. This involves creating a service account in GCP and binding it to the gke-connect role. WIF allows Kubernetes pods to access Google Cloud resources using the identity of the service account associated with the pod. Also make sure service account has the necessary permissions to pull images from the repository.
Also if the issuer URL in the WIF configuration is incorrect. The issuer URL should be the URL of the Kubernetes cluster that the pod is running in. Check the output of the command : kubectl cluster-info which will include the issuer URL.
Upvotes: 0
Related Questions
- invalid_request when calling https://sts.googleapis.com/v1/token API
- Workload identity federation with @google-cloud
- Unable to authenticate to Artifact Registry using Workload Identity
- How to push python artifacts to GCP artifact registry, from a workload identity container in GKE
- How to pull docker image from a insecure private registry with latest Kubernetes
- K8S PODS from workers can not access to private repository deployed on Master
- Google artifact regitsry NPM + github action
- How to solve permissions for push to Google Artifact Registry from Cloud Build using jib-maven-plugin?