5

I would like to use Google Cloud Build to build my docker images. These docker images use private packages that are downloaded from Google Artifact Registry.

The builder itself is authenticated and can use the npx google-artifactregistry-auth command. But I cannot call it inside the docker build process.

When I build the image locally I pass my credentials into Dockerfile like so: --build-arg GOOGLE_CREDS=\"$(cat $GOOGLE_APPLICATION_CREDENTIALS)\"

Is there a way to make this work out of the box or do I have to make a separate service account and upload its key as a secret to cloud build? Kind of annoying since both services are on google cloud....

EDIT: By request I'm adding info on how artifact registry is handled when I build it locally. My docker command is:

docker build --rm --build-arg GOOGLE_CREDS=\"$(cat $GOOGLE_APPLICATION_CREDENTIALS)\" -f 'Dockerfile' -t image:latest .

Relevant parts of the docker image are:

ARG GOOGLE_CREDS
ENV GOOGLE_APPLICATION_CREDENTIALS=/credentials.json
RUN echo ${GOOGLE_CREDS} > $GOOGLE_APPLICATION_CREDENTIALS
COPY .npmrc_template /root/.npmrc

RUN npx google-artifactregistry-auth ~/.npmrc 
RUN yarn install --silent

.npmrc_template contains details about the private repository but no password. It is then filled by google-artifactregistry-auth command

Algirdyz
  • 607
  • 6
  • 16
  • 1
    No keys, but can you share the cloud build step that you use today, and your docker file to make your explanation more real? – guillaume blaquiere Jun 14 '21 at 15:41
  • @guillaumeblaquiere I don't have one. I'm trying to move my local deployment to the cloud. I build my image locally by running this command: docker build --rm --build-arg GOOGLE_CREDS=\"$(cat $GOOGLE_APPLICATION_CREDENTIALS)\" -f 'Dockerfile' -t image:latest . – Algirdyz Jun 14 '21 at 19:54
  • And the environment variable just points to a service account json key file. But essentially I'm just trying to access google artifact registry inside a docker build command inside google cloud build. This can't be a very unique use case.... – Algirdyz Jun 14 '21 at 19:56
  • 1
    I reproduced the error. I have to fill in an issue and to forward it to the PM. I will keep you posted (if I have feedback....) – guillaume blaquiere Jun 17 '21 at 07:14
  • You have mentioned that your building docker image using this “ docker build --rm --build-arg GOOGLE_CREDS=\"$(cat $GOOGLE_APPLICATION_CREDENTIALS)\" -f 'Dockerfile' -t image:latest . ” Are you able to access Google Artifact Repository inside docker build while building docker image locally.If yes, If you could share the Dockerfile, It would help us to solve the problem. – Sri Jun 18 '21 at 08:10
  • Yes I can show how authentication works in Dockerfile. I'll edit the question. – Algirdyz Jun 18 '21 at 08:11
  • Were you able to access Artifact Repository inside Docker build while building Docker image locally ? – Sri Jun 18 '21 at 12:06

1 Answers1

4

You need to explicitly add the cloudbuild network to your Docker Build, like that

docker build --rm -f 'Dockerfile' -t image:latest --network=cloudbuild .
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • This works great thanks! Just a note, I no longer need to pass the build args (I actually can't) the $GOOGLE_APPLICATION_CREDENTIALS is already an env variable inside the build. You might want to edit your answer to reflect that. – Algirdyz Jul 01 '21 at 10:35
  • This didn't work for me, I tried with build_kid enabled also? just says that cloud build is not supported with build kit? – Joshua Duxbury Jan 05 '23 at 17:01