Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden #606

Open
3 tasks done
AndreasBergmeier6176 opened this issue Sep 21, 2023 · 3 comments

Comments

@AndreasBergmeier6176
Copy link

Contributing guidelines

I've found a bug, and:

  • The documentation does not mention anything about my problem
  • There are no open or closed issues that are related to my problem

Description

I have two Google Artifact Registries:

  • foo: for fetching base images from
  • bar: for pushing images to

Now docker build works, if I replace foo by docker.io.
When however I run docker build using foo I get an error:

europe-west1-docker.pkg.dev/foo/ar/python:3.9-slim: failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden

[email protected] has Artifact Registry Reader permissions on europe-west1-docker.pkg.dev/foo/ar/python

So it seems like I cannot use the WIP access_token for accessing foo. But how would I then use WIP to login for foo?

Expected behaviour

Would be good if either it worked or at least the error message would state clearly why it doesn't work.

Actual behaviour

See above

Repository URL

No response

Workflow run URL

No response

YAML workflow

- id: auth
      uses: "google-github-actions/auth@v1"
      with:
        project_id: bar
        retries: 10
        service_account: '[email protected]'
        token_format: access_token
        workload_identity_provider: projects/${{ inputs.project_number }}/locations/global/workloadIdentityPools/github/providers/oidc
    - uses: google-github-actions/setup-gcloud@v1
    - run: |
        gcloud auth configure-docker -q europe-west1-docker.pkg.dev
    - uses: docker/login-action@v3
      with:
        registry: europe-west1-docker.pkg.dev
        username: oauth2accesstoken
        password: "${{ steps.auth.outputs.access_token }}"

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

@ying-jeanne
Copy link

Hi I am not sure the problem I am having is related to this. I have a github action that use the action to login to docker artifect, it was working fine with v2, but since we update to v3 2 weeks ago, I am having this. just in case you can't see this is the error

Run docker/login-action@v3
  with:
    ecr: auto
    logout: true
Error: Username and password required

and this is my github workflow
https://github.com/grafana/mimir/blob/main/.github/workflows/push-mimir-build-image.yml#L34

@crazy-max
Copy link
Member

@ying-jeanne This is not related, see #29 (comment).

@tbernacchi
Copy link

tbernacchi commented Mar 21, 2024

Same here.

I'm following these steps https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

And when I've tried to pull a image from my private Artifact Registry on my GKE/k8s cluster I'm getting this:

unpack image "us-central1-docker.pkg.dev/org/containers/images/mongo-backup:1.0.4": failed to resolve reference "us-central1-docker.pkg.dev/org/containers/images/mongo-backup:1.0.4": failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://us-central1-docker.pkg.dev/v2/token?scope=repository%3Aorg%2Fcontainers%2Fimages%2Fmongo-backup%3Apull&service=us-central1-docker.pkg.dev: 403 Forbidden

Any ideias how to solve this? Any help will be appreciate!

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants