Cloudbuild can't access Artifacts Registery when building cloud run docker container

Question

I'm using a package from Artifacts Registery in my cloud run nodejs container. When I try to gcloud builds submit I get the following error:

Step #1: npm ERR! 403 403 Forbidden - GET https://us-east4-npm.pkg.dev/....
Step #1: npm ERR! 403 In most cases, you or one of your dependencies are requesting
Step #1: npm ERR! 403 a package version that is forbidden by your security policy.

Here is my cloudbuild.yaml:

steps:
 - name: gcr.io/cloud-builders/npm
   args: ['run', 'artifactregistry-login']

 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/...', '.']
 
 - name: 'gcr.io/cloud-builders/docker'
   args: ['push', 'gcr.io/...']
 - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
   entrypoint: gcloud
   args:
   - 'run'
   - 'deploy'
   - 'admin-api'
   - '--image'
   - 'gcr.io/...'
   - '--region'
   - 'us-east4'
   - '--allow-unauthenticated'
images:
 - 'gcr.io/....'

and Dockerfile

FROM node:14-slim

WORKDIR /usr/src/app

COPY --chown=node:node .npmrc ./

COPY package*.json ./


RUN npm install

COPY . ./

EXPOSE 8080

CMD [ "npm","run" ,"server" ]

.npmrc file:

@scope_xxx:registry=https://us-east4-npm.pkg.dev/project_xxx/repo_xxx/
//us-east4-npm.pkg.dev/project_xxx/repo_xxx/:always-auth=true

the google build service account already has the permission "Artifact Registry Reader"

score 2 · Answer 1 · answered Feb 25 '22 at 19:38

2

You have to connect the CloudBuild network in your docker build command. Like that

 - name: 'gcr.io/cloud-builders/docker'
   args: ['build', '-t', 'gcr.io/...', '--network=cloudbuild', '.']

answered Feb 25 '22 at 19:38

guillaume blaquiere

66,369
2
47
76

didn't work unfortunately – AmmAr Mar 03 '22 at 19:52

user3524762 · Answer 2 · 2022-11-09T18:05:35.900

I had the same root cause, my setup is close to @AmmAr, after hours of trial and error, found a solution.

Dislaimer, this might not be the reason for your issue, the gcp 403 error message is vague, you need to chip away and eliminate all possibilities, that is how I arrived on this page.

Comparing to @AmmArr above, the changes I made:-

In node.js package.json, add to "scripts" :{...} property

 "artifactregistry-login": "npx google-artifactregistry-auth",
 "artifactregistry-auth-npmrc": "npx google-artifactregistry-auth .npmrc"

In cloudbuild.yaml, I added two steps prior to the build step, these steps should result in .npmrc getting appended with an access token, thus allowing it to communicate with the gcp artifact repository, that resolved the 403 issue for my scenario.

steps:
  - name: gcr.io/cloud-builders/npm
    args: ['run', 'artifactregistry-login']
  - name: gcr.io/cloud-builders/npm
    args: ['run', 'artifactregistry-auth-npmrc']
  - name: gcr.io/cloud-builders/docker
    args: ['build', '-t', 'gcr.io/...', '.']
 #- next steps in your process...

In Dockerfile, copy over .nmprc before package.json
```
  COPY .npmrc ./

  COPY package*.json ./
```
Screenshot of my cloud build config

Now run, and see if it gets past the build step where it pulls npm module from artifact registry.

score 0 · Accepted Answer · answered Mar 03 '22 at 19:53

0

The solution that worked with me can be found in this blog post:

https://dev.to/brianburton/cloud-build-docker-and-artifact-registry-cicd-pipelines-with-private-packages-5ci2

answered Mar 03 '22 at 19:53

AmmAr

172
9

3

Please do not post link-only answers. Links break, are deleted, modified, etc. Put the solution in your answer so that links are not required. – John Hanley Mar 03 '22 at 20:00

Cloudbuild can't access Artifacts Registery when building cloud run docker container

3 Answers3