deploy-appengine
deploy-appengine copied to clipboard
google-github-actions
Documentation misses authorisation for Artifact Registry
TL;DR
Due to GCP migration to Artifact Registry, on new projects one needs to add the Artifact Registry Reader permission to the service account. This is not mentioned in the documentation (README.md).
Expected behavior
The gha to run with the permissions mentioned in the documentation.
Observed behavior
On a new project, which uses Artifact Registry for temp image, the build fails using the permissions mentioned in the documentation.
Adding Artifact Registry Reader solved the failure. All build succesfully.
Action YAML
name: basic CD
on:
push:
branches: [ master, main ]
jobs:
deploy-to-app-engine:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
# Checkout current branch
- uses: 'actions/checkout@v3'
# Authenticate via Service Account Key JSON
# See https://github.com/google-github-actions/auth#authenticating-via-service-account-key-json-1
- id: 'auth'
uses: 'google-github-actions/auth@v2'
with:
credentials_json: '${{ secrets.GCP_SA_KEY }}'
# Use Google official GHA to deploy 🎉
- id: 'deploy'
uses: 'google-github-actions/deploy-appengine@v2'
Log output
Run google-github-actions/deploy-appengine@v2
with:
promote: true
env:
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: xxx
GOOGLE_APPLICATION_CREDENTIALS: xxx
GOOGLE_GHA_CREDS_PATH: xxx
CLOUDSDK_CORE_PROJECT: xxx
CLOUDSDK_PROJECT: xxx
GCLOUD_PROJECT: xxx
GCP_PROJECT: xxx
GOOGLE_CLOUD_PROJECT: xxx
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/12....1b2 -f /home/runner/work/_temp/6d3....993
Successfully authenticated
Running: gcloud app deploy --quiet --format json app.yaml --promote
Error: google-github-actions/deploy-appengine failed with: failed to execute gcloud command `gcloud app deploy --quiet --format json app.yaml --promote`: Services to deploy:
descriptor: [xxx/app.yaml]
source: [xxx]
target project: [xxx]
target service: [default]
target version: [20240223t165237]
target url: [xxx]
target service account: [xxx]
Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 16 files to Google Cloud Storage ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
Updating service [default]...
..............................................................................................................................................................................................................................................................................failed.
ERROR: (gcloud.app.deploy) Error Response: [7] failed to fetch metadata: generic::permission_denied: failed to fetch metadata from the registry for image "eu.gcr.io/.../app-engine-tmp/app/default/ttl-18h:42e...0141", with reason: generic::permission_denied: fetchImageMetadata from eu.gcr.io failed for image eu.gcr.io/.../app-engine-tmp/app/default/ttl-18h:42e3...41, reason: generic::permission_denied: failed to fetch manifest: generic::permission_denied: failed to fetch manifest "xxx/app-engine-tmp/app/default/ttl-18h/manifests/42...41", error: generic::permission_denied: got HTTP/403 response for URI https://eu.gcr.io/v2/xxx/app-engine-tmp/app/default/ttl-18h/manifests/42...41: (allowRedirect=false)
Additional information
The documentation list 4 permissions to grant to the gha service account. It should also include Artifact Registry Reader.
+1
You get an error like this reason: generic::permission_denied: failed to fetch manifest: generic::permission_denied:
Docs do not have this, I got this issue on standard environment
The fix
- Enable to Artifact Registry API Here
- Add the Artifact Registry Reader to your service account.
A bug I encountered on console. When you enable API, and go to service account tab and try to add the role to your service account, you're unable to find the new roles. So the workaround is to go to IAM tab and add it from there. ref StackOverflow
