Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthenticated requests do not have permission #233

Open
wieringen opened this issue Dec 9, 2024 · 1 comment
Open

Unauthenticated requests do not have permission #233

wieringen opened this issue Dec 9, 2024 · 1 comment

Comments

@wieringen
Copy link

wieringen commented Dec 9, 2024
edited
Loading

The github action example is not working for me. I'm getting the following error.

INF v0.4.12 (commit: 5d4a3e8da027d6d1ca1e611f72da76ec703dcb3c, built: 2024-12-09 08:33 UTC)
ERR error running app: error executing command: error getting full url: Getting digest from url failed: GET https://europe-west4-docker.pkg.dev/v2/token?scope=repository%3Axxx%2Fxxx%2Fapi%3Apull&service=: DENIED: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/xxx/locations/europe-west4/repositories/xxx" (or it may not exist)

The docker image is pushed to GAR, so I'm sure my credentials are correct.

      - name: Authenticate to GCP
        id: auth
        uses: google-github-actions/auth@v2
        with:
          token_format: access_token
          workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
          service_account: [email protected]

      - name: Login to GCP Artifact Registry
        uses: docker/login-action@v3
        with:
          registry: europe-west4-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

      - name: Meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REPOSITORY }}/${{ env.IMAGE }}
          tags: |
            type=ref,event=tag
            type=sha,format=long

      - name: Build
        id: build
        uses: docker/build-push-action@v6
        with:
          context: ${{ env.IMAGE }}/
          push: true
          sbom: true
          provenance: mode=max,generator=image
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha,scope=${{ env.IMAGE }}
          cache-to: type=gha,mode=max,scope=${{ env.IMAGE }}

      - name: Run Trivy vulnerability scanner  
        uses: aquasecurity/[email protected]
        with:
          image-ref: "${{ env.REPOSITORY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }}"
          format: 'json'
          output: 'trivy-results.json'

      - name: Run aactl
        uses: docker://gcr.io/cloud-builders/aactl:latest
        with:
          args: vulnerability --project xxx --source "${{ env.REPOSITORY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }}" --file trivy-results.json
@wieringen
Copy link
Author

This works, but isn't very elegant. At least it proves that something is wrong with the cloud-builder.

      - uses: actions/setup-go@v5
      - name: Run aactl
        run: |
          go install github.com/GoogleCloudPlatform/aactl/cmd/aactl@latest
          GOOGLE_CLOUD_QUOTA_PROJECT=xxx aactl vulnerability --project=xxx --source "${{ env.REPOSITORY }}/${{ env.IMAGE }}@${{ steps.build.outputs.digest }}" --file trivy-results.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wieringen