谷歌神器 regitsry NPM + github action
[英]Google artifact regitsry NPM + github action
问题描述
I'm trying to publish a npm package on GAR (Google Artifact Registry) through github using google-github-actions/auth@v0 and google-artifactregistry-auth
我正在尝试使用google-github-actions/auth@v0和google-artifactregistry-auth通过 github 在 GAR(Google Artifact Registry)上发布 npm package
For the authentication to google from github here is what I did to use the Federation Workload Identity:对于从 github 到 google 的身份验证,这是我使用联合工作负载标识所做的:
export PROJECT_ID="my-project-id"
gcloud iam service-accounts create "gh-deploy-service-account" --project "${PROJECT_ID}"
gcloud iam workload-identity-pools create "github-pool" --project="${PROJECT_ID}" --location="global" --display-name="Github pool"
gcloud iam workload-identity-pools describe github-pool" --project="${PROJECT_ID}" --location="global" --format="value(name)"
export WORKLOAD_IDENTITY_POOL_ID=projects/my-custom-id-number/locations/global/workloadIdentityPools/github-pool
gcloud iam workload-identity-pools providers create-oidc "github-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github-pool" \
--display-name="Github provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
export REPO="@example/my-package"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"
Then I created my artifact repository on google:然后我在谷歌上创建了我的工件存储库:
gcloud artifacts repositories create npm-repository --repository-format=npm --location=asia-east2
Here is my github workflows:这是我的 github 工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
create_credentials_file: true
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken=""
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
#export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.auth.outputs.credentials_file_path }}
npx google-artifactregistry-auth@v3 --repo-config=[./.npmrc] --credential-config=[./.npmrc]
But on this workflow, I got an error on the step Artifact login .但是在这个工作流程中,我在Artifact login的步骤上遇到了错误。 Telling me:告诉我:
npm WARN exec The following package was not found and will be installed: google-artifactregistry-auth
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run:
`gcloud auth application-default login`, `gcloud auth login`, or
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
at Object.getCreds (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async main (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/main.js:66:19)
Error: Process completed with exit code 1.
The full workflow is available here I don't know where is my mistake here.完整的工作流程在这里可用我不知道我的错误在哪里。 Does my service account need more right?我的服务帐户需要更多权限吗? or is it an issue on the google-artifactregistry-auth ?还是google-artifactregistry-auth上的问题? I really don't know:/我真的不知道:/
Thx in advance for you help !提前谢谢你的帮助!
EDIT 1: I tried to follow this documentation and I added to my service account some right:编辑 1:我尝试遵循此文档并向我的服务帐户添加了一些权利:
gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:my-service-account --role=roles/artifactregistry.writer
1 个解决方案
解决方案1
5 已采纳 2022-02-11 12:44:29
I finally find out !!!我终于知道了!!! BUT I'm not sure in term of security if there is any risk or not so if anyone can advice I'll edit the answer !但是我不确定在安全方面是否存在任何风险,所以如果有人可以建议我会编辑答案!
What is changing but I'm not sure in term of security is here:发生了什么变化,但我不确定这里是否安全:
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.serviceAccountTokenCreator" \
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
I think I don't really get the principalSet option and all the attribute possible so if anyone can advice also on this, I'll be grateful !我想我并没有真正得到principalSet选项和所有可能的属性,所以如果有人也可以就此提出建议,我将不胜感激!
Then don't forget to bind your repo to your service account:然后不要忘记将您的仓库绑定到您的服务帐户:
gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/artifactregistry.writer
And for the github workflow I remove the google-artifactregistry-auth and i use the access_token in the .npmrc file.对于 github 工作流程,我删除了google-artifactregistry-auth并使用了.npmrc文件中的access_token 。
Here is the full workflow:这是完整的工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
token_format: 'access_token'
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken="${{ steps.auth.outputs.access_token }}"
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
npm publish
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.