-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package #52
Comments
Was having this issue as well with artifactregistry-auth, also ended up having to roll back to v3.1.0 |
@richjyoung @hchorton Are yall possibly running on GCE? This might be an unexpected side effect from #50. Here's my theory:
Can you try instead of doing export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing. |
In my case we are running standard image for self hosted gitlab runners on Google Kubernetes Engine. I did not think running containers on GKE have access to the default service account on the host, however I will try this suggestion.
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Hanzhen Yi ***@***.***>
Sent: Tuesday, March 28, 2023 6:52:50 PM
To: GoogleCloudPlatform/artifact-registry-npm-tools ***@***.***>
Cc: Rich Young ***@***.***>; Mention ***@***.***>
Subject: Re: [GoogleCloudPlatform/artifact-registry-npm-tools] npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package (Issue #52)
@richjyoung<https://github.com/richjyoung> @hchorton<https://github.com/hchorton> Are yall possibly running on GCE? This might be an unexpected side effect from #50<#50>.
Here's my theory:
* The pipeline runs on GCE, and the GCE's default service account does not have cloud-platform scope
* GCE's default service account is picked up as Application Default Credentials
* Prior to #50<#50>, we do a scope check after obtaining the token, which would find that the token does not have the scope needed and therefore drop it and continue to look for gcloud user credentials
Can you try instead of doing gcloud auth activate-service-account, using this environment variable GOOGLE_APPLICATION_CREDENTIALS:
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key/file.json
This environment variable is checked before GCE's default service account credentials, so by doing so the service account will be used for publishing.
—
Reply to this email directly, view it on GitHub<#52 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA65UKOE2PP5SLSMU3762BLW6MQPFANCNFSM6AAAAAAWKHY2XM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@richjyoung if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :) |
Ah ok, thanks for your help!
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: Hanzhen Yi ***@***.***>
Sent: Tuesday, March 28, 2023 7:03:44 PM
To: GoogleCloudPlatform/artifact-registry-npm-tools ***@***.***>
Cc: Rich Young ***@***.***>; Mention ***@***.***>
Subject: Re: [GoogleCloudPlatform/artifact-registry-npm-tools] npx google-artifactregistry-auth v3.1.1 succeeds but subsequent npm install hits 403 forbidden for private package (Issue #52)
@richjyoung<https://github.com/richjyoung> if my memory serves correctly, GKE and GCE both use the metadata server as an ADC provider, so this can be the issue :)
—
Reply to this email directly, view it on GitHub<#52 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA65UKLU75Y3D7F5PSOKLQTW6MRYBANCNFSM6AAAAAAWKHY2XM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Same issue for us. |
Workaround worked for us. Thanks. |
Having the same issue. My gitlab-runner does not run on a GCP/K8s. Using the verion 3.1.0 did not helped. I'm using the environment variable |
After a lot of digging, it seem to be a yarn issue. So the temporary solution for me was to do the |
This does not happen with v3.1.0
Running in GitLab CI on a private runner, executing the following (*** masked for privacy):
The output from GitLab CI Job is as follows:
The referenced log file contains no further information than the above output.
Version 3.1.0 does not have this issue, if we run
npx --yes google-artifactregistry-auth@v3.1.0
(which we have had to commit to our .gitlab-ci.yml to fix our pipeline) then this works as expected. Please let me know if there is any further information I can provide, however I am unable to share a minimal example as this involves organisation private data.The text was updated successfully, but these errors were encountered: