Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package #52

Open
richjyoung opened this issue Mar 28, 2023 · 9 comments
Open

npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package #52

richjyoung opened this issue Mar 28, 2023 · 9 comments
Assignees
@yihanzhen

Comments

@richjyoung
Copy link

This does not happen with v3.1.0

Running in GitLab CI on a private runner, executing the following (*** masked for privacy):

before_script:
  - gcloud auth activate-service-account ***@***.iam.gserviceaccount.com --key-file=*** --project=***
  - npx --yes google-artifactregistry-auth
  - npm ci --production=false
script:
  - ./node_modules/.bin/vitest run --coverage

The output from GitLab CI Job is as follows:

$ npx --yes google-artifactregistry-auth
Retrieving application default credentials...
Success!
$ npm ci
npm WARN deprecated json-schema-ref-parser@9.0.9: Please switch to @apidevtools/json-schema-ref-parser
npm ERR! code E403
npm ERR! 403 403 Forbidden - GET https://us-npm.pkg.dev/***/***/@***/***/-/@***-3.0.1.tgz - The caller does not have permission.
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2023-03-28T08_28_36_481Z-debug-0.log

The referenced log file contains no further information than the above output.

Version 3.1.0 does not have this issue, if we run npx --yes google-artifactregistry-auth@v3.1.0 (which we have had to commit to our .gitlab-ci.yml to fix our pipeline) then this works as expected. Please let me know if there is any further information I can provide, however I am unable to share a minimal example as this involves organisation private data.
@hchorton
Copy link

Was having this issue as well with artifactregistry-auth, also ended up having to roll back to v3.1.0

@yihanzhen
Copy link
Member

@richjyoung @hchorton Are yall possibly running on GCE? This might be an unexpected side effect from #50.

Here's my theory:

  • The pipeline runs on GCE, and the GCE's default service account does not have cloud-platform scope
  • GCE's default service account is picked up as Application Default Credentials
  • Prior to fix: skip the scope check #50, we do a scope check after obtaining the token, which would find that the token does not have the scope needed and therefore drop it and continue to look for gcloud user credentials

Can you try instead of doing gcloud auth activate-service-account, using this environment variable GOOGLE_APPLICATION_CREDENTIALS:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json

This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing.

@richjyoung
Copy link
Author

richjyoung commented Mar 28, 2023 via email

@yihanzhen
Copy link
Member

yihanzhen commented Mar 28, 2023
edited

@richjyoung if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :)

@richjyoung
Copy link
Author

richjyoung commented Mar 28, 2023 via email

@samuelgoldenbaum
Copy link

samuelgoldenbaum commented Apr 3, 2023
edited

Same issue for us.

@kliffordmanto
Copy link

Workaround worked for us. Thanks.

@galan
Copy link

galan commented Mar 7, 2024

Having the same issue. My gitlab-runner does not run on a GCP/K8s. Using the verion 3.1.0 did not helped.

I'm using the environment variable GOOGLE_APPLICATION_CREDENTIALS pointing to a service-account credential json file. This service-account has enough permissions and is used in other builds (maven) to GAR without issues. The NPM repository has the correct permissions and "Artifact Registry Reader" Role. Locally it works. 🤷

@galan
Copy link

galan commented Mar 7, 2024

After a lot of digging, it seem to be a yarn issue. So the temporary solution for me was to do the npx --yes google-artifactregistry-auth in a separate build step, instead of the preinstall script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yihanzhen yihanzhen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@samuelgoldenbaum @galan @richjyoung @yihanzhen @kliffordmanto @hchorton