stackoom
  简体   繁体   中英

Google artifact regitsry NPM + github action

 原文  2022-02-11 07:35:06       github/ github-actions/ gcloud/ google-artifact-registry/ workload-identity

Question

I'm trying to publish a npm package on GAR (Google Artifact Registry) through github using google-github-actions/auth@v0 and google-artifactregistry-auth

For the authentication to google from github here is what I did to use the Federation Workload Identity:

export PROJECT_ID="my-project-id"

gcloud iam service-accounts create "gh-deploy-service-account" --project "${PROJECT_ID}"

gcloud iam workload-identity-pools create "github-pool" --project="${PROJECT_ID}" --location="global" --display-name="Github pool"

gcloud iam workload-identity-pools describe github-pool" --project="${PROJECT_ID}" --location="global" --format="value(name)"

export WORKLOAD_IDENTITY_POOL_ID=projects/my-custom-id-number/locations/global/workloadIdentityPools/github-pool

gcloud iam workload-identity-pools providers create-oidc "github-provider" \
  --project="${PROJECT_ID}" \
  --location="global" \
  --workload-identity-pool="github-pool" \
  --display-name="Github provider" \
  --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
  --issuer-uri="https://token.actions.githubusercontent.com"

export REPO="@example/my-package"

gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"

Then I created my artifact repository on google:

gcloud artifacts repositories create npm-repository --repository-format=npm --location=asia-east2

Here is my github workflows:

name: Publish Package
on:
  push:
    branches:
      - main

jobs:
  publish:
    timeout-minutes: 10
    runs-on: ubuntu-latest
    permissions:
      contents: "read"
      id-token: "write"
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - uses: actions/setup-node@v2
        with:
          node-version: 16

      - name: Install
        run: npm ci

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v0"
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SERVICE_ACCOUNT }}
          create_credentials_file: true

      - name: "Set up Cloud SDK"
        uses: "google-github-actions/setup-gcloud@v0"

      - name: Create .npmrc
        run: |
          cat << EOF > .npmrc
            @example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
            //asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken=""
            //asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
          EOF

      - name: Artifact login
        run: |
          #export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.auth.outputs.credentials_file_path }}
          npx google-artifactregistry-auth@v3 --repo-config=[./.npmrc] --credential-config=[./.npmrc]

But on this workflow, I got an error on the step Artifact login . Telling me:

npm WARN exec The following package was not found and will be installed: google-artifactregistry-auth
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run: 
`gcloud auth application-default login`, `gcloud auth login`, or 
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
    at Object.getCreds (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async main (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/main.js:66:19)
Error: Process completed with exit code 1.

The full workflow is available here I don't know where is my mistake here. Does my service account need more right? or is it an issue on the google-artifactregistry-auth ? I really don't know:/

Thx in advance for you help !

EDIT 1: I tried to follow this documentation and I added to my service account some right:

gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:my-service-account --role=roles/artifactregistry.writer

1 answers

solution1
 5 ACCPTED  2022-02-11 12:44:29

I finally find out !!! BUT I'm not sure in term of security if there is any risk or not so if anyone can advice I'll edit the answer !

What is changing but I'm not sure in term of security is here:

gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.serviceAccountTokenCreator" \
  --member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"


gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="${PROJECT_ID}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"

I think I don't really get the principalSet option and all the attribute possible so if anyone can advice also on this, I'll be grateful !

Then don't forget to bind your repo to your service account:

gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/artifactregistry.writer

And for the github workflow I remove the google-artifactregistry-auth and i use the access_token in the .npmrc file.

Here is the full workflow:

name: Publish Package
on:
  push:
    branches:
      - main

jobs:
  publish:
    timeout-minutes: 10
    runs-on: ubuntu-latest
    permissions:
      contents: "read"
      id-token: "write"
    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - uses: actions/setup-node@v2
        with:
          node-version: 16

      - name: Install
        run: npm ci

      - id: "auth"
        name: "Authenticate to Google Cloud"
        uses: "google-github-actions/auth@v0"
        with:
          workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.SERVICE_ACCOUNT }}
          token_format: 'access_token'

      - name: "Set up Cloud SDK"
        uses: "google-github-actions/setup-gcloud@v0"

      - name: Create .npmrc
        run: |
          cat << EOF > .npmrc
            @example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
            //asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken="${{ steps.auth.outputs.access_token }}"
            //asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
          EOF

      - name: Artifact login
        run: |
          npm publish

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to Push NPM Package to Azure Artifact Feed? Github Action Rollback Strategy Auth error when pushing to Google Artifact Repository How to deploy artifact to aws s3 using github workflow? Google Artifact Registry access from different projects Google Cloud: Artifact Registry vs Container Registry Authenticating Firebase connection in GitHub Action Github Action : failed with "lost connection" Google Cloud Function NPM Google Cloud Container Registry/Artifact Registry Permissions
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM