0

I have a Docker image of a javascript application that uses private npm packages stored in Google's Artifact Registry.

Inside Google's CloudBuild I can specify docker build -t myimage --network=cloudbuild . and inside the docker build I can run npx google-artifactregistry-auth which retrieves the credentials using the build service account and then I can run my RUN npm install.

However, locally when I have ADC on my computer (macOS), setup by running gcloud auth application-default login, running the same command in docker fails saying:

#19 2.583 npm WARN exec The following package was not found and will be installed: google-artifactregistry-auth@3.1.1
#19 6.822 Retrieving application default credentials...
#19 6.846 Retrieving credentials from gcloud...
#19 6.856 Error: Fail to get credentials. Please run:
#19 6.856 gcloud auth application-default login, gcloud auth login, or
#19 6.856 export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>
#19 6.856 at Object.getCreds (/root/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
#19 6.856 at async main (/root/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/main.js:83:19)

I tried setting the environment variable to my local path to no avail:

docker build --build-arg GOOGLE_APPLICATION_CREDENTIALS=/Users/myname_here/.config/gcloud/application_default_credentials.json -t hello_world .
zaitsman
  • 8,984
  • 6
  • 47
  • 79
  • the environment variable points to a file that should be available in the docker image during the build process. Since you're not copying it, it won't work. If this is for testing purposes, I suggest to add a COPY in the Dockerfile. – Stefano May 05 '23 at 07:48
  • @Stefano this is not for `testing purposes`. I want to have a single Dockerfile that works both for Cloud Build and for my local docker such that it uses appropriate creds in each context. – zaitsman May 08 '23 at 01:19
  • 1
    can you check this github [thread](https://github.com/GoogleCloudPlatform/artifact-registry-npm-tools/issues/49#issuecomment-1485815578) – Sathi Aiswarya May 08 '23 at 06:50
  • @SathiAiswarya thanks for that, unfortunately there is no resolution there for me :( – zaitsman May 10 '23 at 01:18
  • I have provided an answer below.please check and let me know if the below suggestions were helpful – Sathi Aiswarya May 22 '23 at 06:30
  • @SathiAiswarya unfortunately it is not because I want the same Dockerfile on my local and in CloudBuild, installing gcloud blows it up and I don't want to bundle gcloud with my application in production. – zaitsman May 23 '23 at 04:10
  • I have updated my answer. Can you have a look at it once. – Sathi Aiswarya May 25 '23 at 12:20

2 Answers2

1

The application_default_credentials.json created by gcloud application-default login cannot be used as the service account json key.It will be referenced by the environment variable GOOGLE_APPLICATION_CREDENTIALS because they have different contents.

As mentioned in this stackoverflow link you can do

mount ~/.config of your machine to /root/.config inside the container, and make sure your docker image has gcloud installed. The application_default_credentials.json created by gcloud is only understandable by gcloud, so you will need to expose that to the docker container and let the gcloud inside the docker container do the authentication.

If the above steps does not help you Sometimes errors may arise with the npx google-artifactregistry-auth command which requires a gcloud credential. Please note that google-artifactregistry-auth module is an npm package which allows you to configure npm to interact with npm private repositories in Artifact Registry. Therefore, I would request you to please follow the steps mentioned in the below.

  1. Login using commands - $ export GOOGLE_APPLICATION_CREDENTIALS=[path/to/key.json] or $ gcloud auth application-default login

  2. Add settings to connect to the repository to .npmrc. Use the output from the following command:

    $ gcloud artifacts print-settings npm

  3. Run the module outside of the directory containing the target npmrc file

$ npx google-artifactregistry-auth --repo-config=[./.npmrc] --credential-config=[~/.npmrc]

  1. Also, Include the command[1] in the scripts in package.json
  2. Run the Script using $ npm run artifactregistry-login

Also, Please refer to the link which explains more details about the above mentioned steps.

[1] "scripts": { "artifactregistry-login": "npx google-artifactregistry-auth --repo-config=[./.npmrc] --credential-config=[~/.npmrc]",}

Sathi Aiswarya
  • 2,068
  • 2
  • 11
  • This does not work during Docker Build unless I install gcloud CLI FOR the build and then I am doing the same inside cloud build where it works without it. how do I make my own computer behave the same way as CloudBuild where this is NOT REQUIRED. – zaitsman Jun 22 '23 at 00:52
0

Please follow the official documentation here. This gives the step-by-step directions for setting it up.

Make sure the .npmrc file content is updated with the correct settings.

Gourav B
  • 864
  • 5
  • 17
  • I already followed the steps, mate. It works fine in my local. It ONLY works in docker if I copy token to the .npmrc file which makes it contain credentials and IS NOT what I want. – zaitsman Jun 22 '23 at 00:51
  • This seems to be an expected behavior, as mentioned [here](https://cloud.google.com/artifact-registry/docs/nodejs/authentication#:~:text=Storing%20the%20token%20in%20your%20user%20.npmrc%20file%20isolates%20your%20credentials%20from%20your%20source%20code%20and%20your%20source%20control%20system.). In local, the credentials are stored under "~/. config/gcloud" – Gourav B Jun 22 '23 at 21:40
  • Exactly. So how does Cloud Build do it if I do not need to put my credentials into .npmrc but it still works? How does Google Cloud Shell do it?Because it also works in cloud shell albeit with an interactive prompt. I want to replicate either in my local docker. – zaitsman Jun 23 '23 at 04:22
  • If you remove "~/.config/gcloud", it will stop working in Cloud Shell/local. – Gourav B Jun 23 '23 at 20:09
  • How does that information help me? – zaitsman Jun 25 '23 at 23:39