我正试图通过github使用google-github-actions/auth@v0和google-artifactregistry-auth在GAR(Google Artifact Registry(上发布一个npm包
对于从github到谷歌的身份验证,这里是我使用Federation Workload Identity所做的:
export PROJECT_ID="my-project-id"
gcloud iam service-accounts create "gh-deploy-service-account" --project "${PROJECT_ID}"
gcloud iam workload-identity-pools create "github-pool" --project="${PROJECT_ID}" --location="global" --display-name="Github pool"
gcloud iam workload-identity-pools describe github-pool" --project="${PROJECT_ID}" --location="global" --format="value(name)"
export WORKLOAD_IDENTITY_POOL_ID=projects/my-custom-id-number/locations/global/workloadIdentityPools/github-pool
gcloud iam workload-identity-pools providers create-oidc "github-provider"
--project="${PROJECT_ID}"
--location="global"
--workload-identity-pool="github-pool"
--display-name="Github provider"
--attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository"
--issuer-uri="https://token.actions.githubusercontent.com"
export REPO="@example/my-package"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
--project="${PROJECT_ID}"
--role="roles/iam.workloadIdentityUser"
--member="principalSet://iam.googleapis.com/${WORKLOAD_IDENTITY_POOL_ID}/attribute.repository/${REPO}"
然后我在谷歌上创建了我的工件库:
gcloud artifacts repositories create npm-repository --repository-format=npm --location=asia-east2
以下是我的github工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
create_credentials_file: true
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken=""
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
#export GOOGLE_APPLICATION_CREDENTIALS=${{ steps.auth.outputs.credentials_file_path }}
npx google-artifactregistry-auth@v3 --repo-config=[./.npmrc] --credential-config=[./.npmrc]
但在这个工作流程中,我在步骤Artifact login中遇到了一个错误。告诉我:
npm WARN exec The following package was not found and will be installed: google-artifactregistry-auth
Retrieving application default credentials...
Retrieving credentials from gcloud...
Error: Fail to get credentials. Please run:
`gcloud auth application-default login`, `gcloud auth login`, or
`export GOOGLE_APPLICATION_CREDENTIALS=<path/to/service/account/key>`
at Object.getCreds (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/auth.js:40:9)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async main (/home/runner/.npm/_npx/64aef35f3ba01c7c/node_modules/google-artifactregistry-auth/src/main.js:66:19)
Error: Process completed with exit code 1.
此处提供完整的工作流程我不知道我的错误在哪里。我的服务帐户需要更多权限吗?还是google-artifactregistry-auth上的问题?我真的不知道:/
提前谢谢你的帮助!
第1版:我试着遵循这份文档,并在我的服务帐户中添加了一些权限:
gcloud artifacts repositories add-iam-policy-binding npm-repository
--location asia-east2 --member=serviceAccount:my-service-account --role=roles/artifactregistry.writer
我终于发现了!!!但就安全性而言,我不确定是否有任何风险,所以如果有人能提出建议,我会编辑答案!
正在发生变化,但我不确定安全方面的情况如下:
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
--project="${PROJECT_ID}"
--role="roles/iam.serviceAccountTokenCreator"
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
gcloud iam service-accounts add-iam-policy-binding "gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com"
--project="${PROJECT_ID}"
--role="roles/iam.workloadIdentityUser"
--member="principalSet://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/github-pool-2/*"
我想我还没有真正得到principalSet选项和所有可能的属性,所以如果有人能就此提供建议,我将不胜感激!
然后不要忘记将您的回购绑定到您的服务帐户:
gcloud artifacts repositories add-iam-policy-binding npm-repository
--location asia-east2 --member=serviceAccount:gh-deploy-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role=roles/artifactregistry.writer
对于github工作流,我删除了google-artifactregistry-auth,并使用.npmrc文件中的access_token。
以下是完整的工作流程:
name: Publish Package
on:
push:
branches:
- main
jobs:
publish:
timeout-minutes: 10
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
steps:
- name: Checkout
uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 16
- name: Install
run: npm ci
- id: "auth"
name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v0"
with:
workload_identity_provider: ${{ secrets.WORKLOAD_IDENTITY_PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
token_format: 'access_token'
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v0"
- name: Create .npmrc
run: |
cat << EOF > .npmrc
@example:registry=https://asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:_authToken="${{ steps.auth.outputs.access_token }}"
//asia-east2-npm.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/npm-repository/:always-auth=true
EOF
- name: Artifact login
run: |
npm publish