谷歌神器 regitsry NPM + github action
[英]Google artifact regitsry NPM + github action
原文
2022-02-11 07:35:06
9
1
github/
github-actions/
gcloud/
google-artifact-registry/
workload-identity
問題描述
我正在嘗試使用google-github-actions/auth@v0和google-artifactregistry-auth通過 github 在 GAR(Google Artifact Registry)上發布 npm package
對於從 github 到 google 的身份驗證,這是我使用聯合工作負載標識所做的:
export PROJECT_ID="my-project-id"
gcloud iam service-accounts create "gh-deploy-service-account" --project "${PROJECT_ID}"
gcloud iam workload-identity-pools create "github-pool" --project="${PROJECT_ID}" --location="global" --display-name="Github pool"
gcloud iam workload-identity-pools describe github-pool" --project="${PROJECT_ID}" --location="global" --format="value(name)"
export WORKLOAD_IDENTITY_POOL_ID=projects/my-custom-id-number/locations/global/workloadIdentityPools/github-pool
gcloud iam workload-identity-pools providers create-oidc "github-provider" \
--project="${PROJECT_ID}" \
--location="global" \
--workload-identity-pool="github-pool" \
--display-name="Github provider" \
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository" \
--issuer-uri="https://token.actions.githubusercontent.com"
export REPO="@example/my-package"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"
然后我在谷歌上創建了我的工件存儲庫:
gcloud artifacts repositories create npm-repository --repository-format=npm --location=asia-east2
這是我的 github 工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
create_credentials_file: true
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken=""
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
#export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.auth.outputs.credentials_file_path }}
npx google-artifactregistry-auth@v3 --repo-config=[./.npmrc] --credential-config=[./.npmrc]
但是在這個工作流程中,我在Artifact login的步驟上遇到了錯誤。 告訴我:
npm WARN exec The following package was not found and will be installed: google-artifactregistry-auth
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run:
`gcloud auth application-default login`, `gcloud auth login`, or
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
at Object.getCreds (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async main (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/main.js:66:19)
Error: Process completed with exit code 1.
完整的工作流程在這里可用我不知道我的錯誤在哪里。 我的服務帳戶需要更多權限嗎? 還是google-artifactregistry-auth上的問題? 我真的不知道:/
提前謝謝你的幫助!
編輯 1:我嘗試遵循此文檔並向我的服務帳戶添加了一些權利:
gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:my-service-account --role=roles/artifactregistry.writer
1 個解決方案
解決方案1
5 已采納 2022-02-11 12:44:29
我終於知道了!!! 但是我不確定在安全方面是否存在任何風險,所以如果有人可以建議我會編輯答案!
發生了什么變化,但我不確定這里是否安全:
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.serviceAccountTokenCreator" \
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com" \
--project="${PROJECT_ID}" \
--role="roles/iam.workloadIdentityUser" \
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
我想我並沒有真正得到principalSet選項和所有可能的屬性,所以如果有人也可以就此提出建議,我將不勝感激!
然后不要忘記將您的倉庫綁定到您的服務帳戶:
gcloud artifacts repositories add-iam-policy-binding npm-repository \
--location asia-east2 --member=serviceAccount:gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/artifactregistry.writer
對於 github 工作流程,我刪除了google-artifactregistry-auth並使用了.npmrc文件中的access_token 。
這是完整的工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
token_format: 'access_token'
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken="${{ steps.auth.outputs.access_token }}"
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
npm publish
Google Cloud Container Registry/Artifact Registry 權限
[英]Google Cloud Container Registry/Artifact Registry Permissions
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何推送 NPM Package 到 Azure Artifact Feed?
Github 動作回滾策略
推送到 Google Artifact Repository 時出現身份驗證錯誤
如何使用 github 工作流程將工件部署到 aws s3?
來自不同項目的 Google Artifact Registry 訪問
谷歌雲:Artifact Registry 與 Container Registry
在 GitHub 操作中驗證 Firebase 連接
Github 操作:因“失去連接”而失敗
谷歌雲 Function NPM
Google Cloud Container Registry/Artifact Registry 權限
相關標簽