Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation misses authorisation for Artifact Registry #354

Closed
julesvanrie opened this issue Feb 23, 2024 · 2 comments
Closed

Documentation misses authorisation for Artifact Registry #354

julesvanrie opened this issue Feb 23, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@julesvanrie
Copy link

TL;DR

Due to GCP migration to Artifact Registry, on new projects one needs to add the Artifact Registry Reader permission to the service account. This is not mentioned in the documentation (README.md).

Expected behavior

The gha to run with the permissions mentioned in the documentation.

Observed behavior

On a new project, which uses Artifact Registry for temp image, the build fails using the permissions mentioned in the documentation.

Adding Artifact Registry Reader solved the failure. All build succesfully.

Action YAML

name: basic CD
on:
  push:
    branches: [ master, main ]
jobs:
  deploy-to-app-engine:
    runs-on: ubuntu-latest
    permissions:
      contents: 'read'
      id-token: 'write'
    steps:

    # Checkout current branch
    - uses: 'actions/checkout@v3'

    # Authenticate via Service Account Key JSON
    # See https://github.com/google-github-actions/auth#authenticating-via-service-account-key-json-1
    - id: 'auth'
      uses: 'google-github-actions/auth@v2'
      with:
        credentials_json: '${{ secrets.GCP_SA_KEY }}'

    # Use Google official GHA to deploy 🎉
    - id: 'deploy'
      uses: 'google-github-actions/deploy-appengine@v2'

Log output

Run google-github-actions/deploy-appengine@v2
  with:
    promote: true
  env:
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: xxx
    GOOGLE_APPLICATION_CREDENTIALS: xxx
    GOOGLE_GHA_CREDS_PATH: xxx
    CLOUDSDK_CORE_PROJECT: xxx
    CLOUDSDK_PROJECT: xxx
    GCLOUD_PROJECT: xxx
    GCP_PROJECT: xxx
    GOOGLE_CLOUD_PROJECT: xxx
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/12....1b2 -f /home/runner/work/_temp/6d3....993
Successfully authenticated
Running: gcloud app deploy --quiet --format json app.yaml --promote
Error: google-github-actions/deploy-appengine failed with: failed to execute gcloud command `gcloud app deploy --quiet --format json app.yaml --promote`: Services to deploy:

descriptor:                  [xxx/app.yaml]
source:                      [xxx]
target project:              [xxx]
target service:              [default]
target version:              [20240223t165237]
target url:                  [xxx]
target service account:      [xxx]


Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 16 files to Google Cloud Storage               ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
Updating service [default]...
..............................................................................................................................................................................................................................................................................failed.
ERROR: (gcloud.app.deploy) Error Response: [7] failed to fetch metadata: generic::permission_denied: failed to fetch metadata from the registry for image "eu.gcr.io/.../app-engine-tmp/app/default/ttl-18h:42e...0141", with reason: generic::permission_denied: fetchImageMetadata from eu.gcr.io failed for image eu.gcr.io/.../app-engine-tmp/app/default/ttl-18h:42e3...41, reason: generic::permission_denied: failed to fetch manifest: generic::permission_denied: failed to fetch manifest "xxx/app-engine-tmp/app/default/ttl-18h/manifests/42...41", error: generic::permission_denied: got HTTP/403 response for URI https://eu.gcr.io/v2/xxx/app-engine-tmp/app/default/ttl-18h/manifests/42...41: (allowRedirect=false)

Additional information

The documentation list 4 permissions to grant to the gha service account. It should also include Artifact Registry Reader.
@julesvanrie julesvanrie added the bug Something isn't working label Feb 23, 2024
@hawkeye-sama
Copy link
Contributor

+1
You get an error like this reason: generic::permission_denied: failed to fetch manifest: generic::permission_denied:
Docs do not have this, I got this issue on standard environment
The fix

  • Enable to Artifact Registry API Here
  • Add the Artifact Registry Reader to your service account.

A bug I encountered on console.
When you enable API, and go to service account tab and try to add the role to your service account, you're unable to find the new roles. So the workaround is to go to IAM tab and add it from there. ref StackOverflow

@hawkeye-sama hawkeye-sama mentioned this issue Mar 12, 2024
Merged
verbanicm pushed a commit that referenced this issue Mar 12, 2024
@hawkeye-sama
Docs: Added artifact register reader permission required for ci/cd pi…
bfb3ff0 
…peline (#356)

Hi maintainers. This PR is based on #354 

Found an issue that when deploying to App engine via github actions for
standard environment, you get logs with this error `reason:
generic::permission_denied: failed to fetch manifest:
generic::permission_denied` which is due to `Artifact Registry Reader`
Permission missing from service account used. I did not encounter this
issue for flexible environment.
Tested with following configurations
`deploy.yaml` ( github workflow )
```
name: Deploy to GAE

on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches: [ main ]

jobs:
  deploy:
    name: Deploying to Google Cloud
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout
      uses: actions/checkout@v4

    - name: 'Auth GCP'
      uses: 'google-github-actions/auth@v2'
      with:
        credentials_json: '${{ secrets.GCP_DEPLOY }}'

    - id: deploy
      name: Deploy to App Engine
      uses: google-github-actions/deploy-appengine@v2
      with:
        deliverables: app.yaml
        project_id: ${{ secrets.GCP_PROJECT }}

    - name: Test output
      run: 'curl "${{ steps.deploy.outputs.version_url }}"'
```

`app.yaml`
```
service: default
runtime: nodejs18
env: standard
instance_class: F1

env_variables:
  NODE_ENV: production
  PORT: 8080

inbound_services:
- warmup

automatic_scaling:
  min_instances: 1
  max_instances: 2
  target_cpu_utilization: 0.75


handlers:
- url: /.*
  script: auto
  secure: always
  redirect_http_response_code: 301
```

Signed-off-by: Bahroze Ali <[email protected]>
@julesvanrie
Copy link
Author

Fixed by #356
Thanks @hawkeye-sama !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hawkeye-sama @julesvanrie