谷歌神器 regitsry NPM + github action
[英]Google artifact regitsry NPM + github action
原文
2022-02-11 07:35:06
7
1
github/
github-actions/
gcloud/
google-artifact-registry/
workload-identity
问题描述
我正在尝试使用google-github-actions/auth@v0和google-artifactregistry-auth通过 github 在 GAR(Google Artifact Registry)上发布 npm package
对于从 github 到 google 的身份验证,这是我使用联合工作负载标识所做的:
export PROJECT_ID="my-project-id"
gcloud iam service-accounts create "gh-deploy-service-account" --project "${PROJECT_ID}"
gcloud iam workload-identity-pools create "github-pool" --project="${PROJECT_ID}" --location="global" --display-name="Github pool"
gcloud iam workload-identity-pools describe github-pool" --project="${PROJECT_ID}" --location="global" --format="value(name)"
export WORKLOAD_IDENTITY_POOL_ID=projects/my-custom-id-number/locations/global/workloadIdentityPools/github-pool
gcloud iam workload-identity-pools providers create-oidc "github-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github-pool" \
--display-name="Github provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
export REPO="@example/my-package"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"
然后我在谷歌上创建了我的工件存储库:
gcloud artifacts repositories create npm-repository --repository-format=npm --location=asia-east2
这是我的 github 工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
create_credentials_file: true
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken=""
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
#export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.auth.outputs.credentials_file_path }}
npx google-artifactregistry-auth@v3 --repo-config=[./.npmrc] --credential-config=[./.npmrc]
但是在这个工作流程中,我在Artifact login的步骤上遇到了错误。 告诉我:
npm WARN exec The following package was not found and will be installed: google-artifactregistry-auth
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run:
`gcloud auth application-default login`, `gcloud auth login`, or
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
at Object.getCreds (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async main (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/main.js:66:19)
Error: Process completed with exit code 1.
完整的工作流程在这里可用我不知道我的错误在哪里。 我的服务帐户需要更多权限吗? 还是google-artifactregistry-auth上的问题? 我真的不知道:/
提前谢谢你的帮助!
编辑 1:我尝试遵循此文档并向我的服务帐户添加了一些权利:
gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:my-service-account --role=roles/artifactregistry.writer
1 个解决方案
解决方案1
5 已采纳 2022-02-11 12:44:29
我终于知道了!!! 但是我不确定在安全方面是否存在任何风险,所以如果有人可以建议我会编辑答案!
发生了什么变化,但我不确定这里是否安全:
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.serviceAccountTokenCreator" \
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
我想我并没有真正得到principalSet选项和所有可能的属性,所以如果有人也可以就此提出建议,我将不胜感激!
然后不要忘记将您的仓库绑定到您的服务帐户:
gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/artifactregistry.writer
对于 github 工作流程,我删除了google-artifactregistry-auth并使用了.npmrc文件中的access_token 。
这是完整的工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
token_format: 'access_token'
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken="${{ steps.auth.outputs.access_token }}"
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
npm publish
Google Cloud Container Registry/Artifact Registry 权限
[英]Google Cloud Container Registry/Artifact Registry Permissions
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
如何推送 NPM Package 到 Azure Artifact Feed?
Github 动作回滚策略
推送到 Google Artifact Repository 时出现身份验证错误
如何使用 github 工作流程将工件部署到 aws s3?
来自不同项目的 Google Artifact Registry 访问
谷歌云:Artifact Registry 与 Container Registry
在 GitHub 操作中验证 Firebase 连接
Github 操作:因“失去连接”而失败
谷歌云 Function NPM
Google Cloud Container Registry/Artifact Registry 权限
相关标签