quarkus: CloudBuild (GCP) Failed to authenticate with registry when using Jib

Describe the bug

In CloudBuild environment, i try to deploy an image with Jib on Artifact Registry. I set authentication but i still have an issue 403 Forbidden. When we use quarkus.container-image.push=true, I need more information on the different platforms used to publish our images and in particular in the case that interests me on GAR

Expected behavior

Image has been published on artifact registry using Jib

Actual behavior

{"errors":[{"code":"DENIED","message":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource ... }"

How to Reproduce?

No response

Output of uname -a or ver

Linux 84592f6948b9 4.19.104-microsoft-standard #1 SMP Wed Feb 19 06:37:35 UTC 2020 x86_64 Linux

Output of java -version

17.0.3

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.2.1.Final

Build tool (ie. output of mvnw --version or gradlew --version)

maven 3.8.3, Docker version 20.10.12, build e91ed57

Additional information

1. Application.properties

quarkus.native.container-build=true
quarkus.native.container-runtime=docker
quarkus.native.native-image-xmx=4G
quarkus.native.enable-https-url-handler=true
quarkus.native.report-exception-stack-traces=true

quarkus.jib.base-native-image=registry.access.redhat.com/ubi8/ubi-minimal
quarkus.container-image.build=true
quarkus.container-image.builder=jib
quarkus.container-image.push=true
quarkus.container-image.image=${GCP_IMAGE_NAME}
  1. cloudbuild.yaml
steps:
- id: packageApp
  name: docker.io/anthonydenecheau/quarkus-maven-build-native-image:1.0
  entrypoint: bash
  args:
    - '-c'
    - |
      echo -e $(gcloud --quiet \
        --impersonate-service-account project-service-account@scc-build-docker.iam.gserviceaccount.com \
        auth configure-docker $_REGION-docker.pkg.dev)

      echo "************  ~/.docker/config.json ************"
      cat ~/.docker/config.json

      mvn clean package -Pnative -Dnative-image.docker-build=true \
      -Dmaven.test.skip=true -Dquarkus.profile=prod \
      -Dquarkus.native.additional-build-args=--initialize-at-run-time=jdk.internal.platform.cgroupv2.CgroupV2Subsystem
  env:
  - "SHORT_SHA=$SHORT_SHA"
  - "GCP_IMAGE_NAME=$_REGION-docker.pkg.dev/$PROJECT_ID/$_SERVICE_NAME/$_SERVICE_NAME:$SHORT_SHA"
  - "DOCKER_CONFIG=~/.docker/config.json"
  1. trace/logs
Adding credentials for: europe-west3-docker.pkg.dev
Docker configuration file updated.

************  ~/.docker/config.json ************
{
  "auths": {
    "europe-west3-docker.pkg.dev": {
      "auth": "b2F1dGgyYWNjZXNzdG9rZW46eWEyOS5jLmIwQVh2MHpUTmt5OE9rYU..."
    },
   (....)
}

[ERROR] Caused by: com.google.cloud.tools.jib.http.ResponseException: 403 Forbidden
[ERROR] GET https://europe-west3-docker.pkg.dev/v2/token?service=europe-west3-docker.pkg.dev&scope=repository:scc-build-docker/show-service/show-service:pull,push
[ERROR] {"errors":[{"code":"DENIED","message":"Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/scc-build-docker/locations/europe-west3/repositories/show-service\" (or it may not exist)"}]}
[ERROR]

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (8 by maintainers)

Most upvoted comments

Seems like you have already pinged him 😃

+1
geoand on May 27, 2022
Read more comments on GitHub
← quarkus: ClassNotFoundException with quarkus.hibernate-search.elasticsearch.analysis.configurer
quarkus: Command Line Application fails to start from Intellij →