GCP service account authentication not working with Tekton CI/CD

[anandjaisy]

I have set up the pipeline that does the below work

1. Clone the repo -- has its own secret and service account
2. Build the application -- There are some java libraries that are published in the google cloud artifact registry

gradle.build

repositories {
    mavenCentral()
    maven { url "artifactregistry://${LOCATION}-maven.pkg.dev/${PROJECT}/${REPOSITORY}" }
}

pipeline-run.yaml

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: run-pipeline
  namespace: tekton-pipelines
spec:
  serviceAccountName: fetebird-service-account
  pipelineRef:
    name: fetebird-discount
  workspaces:
    - name: shared-workspace
      persistentVolumeClaim:
        claimName: fetebird-discount-pvc
  params:
    - name: repo-url
      value: git@bitbucket.org:anandjaisy/discount.git

During the build process, I get an exception as 403 from server: Forbidden

2022-06-20T11:43:46.901622299Z Required by:
2022-06-20T11:43:46.905433716Z project :discount-api
2022-06-20T11:43:46.905908549Z project :discount-api > project :core
2022-06-20T11:43:46.907587216Z project :discount-api > project :infrastructure
2022-06-20T11:43:46.910430882Z > Could not resolve fete.bird:common:1.0.1.
2022-06-20T11:43:46.916549841Z > Could not get resource 'https://australia-southeast2-maven.pkg.dev/fetebird-350310/common/fete/bird/common/1.0.1/common-1.0.1.pom'.
2022-06-20T11:43:46.919566716Z > Could not GET 'https://australia-southeast2-maven.pkg.dev/fetebird-350310/common/fete/bird/common/1.0.1/common-1.0.1.pom'. Received status code 403 from server: Forbidden
2022-06-20T11:43:46.920126507Z
2022-06-20T11:43:46.921247424Z * Try:
2022-06-20T11:43:46.992466299Z > Run with --stacktrace option to get the stack trace.
2022-06-20T11:43:46.994160424Z > Run with --info or --debug option to get more log output.
2022-06-20T11:43:46.994594549Z > Run with --scan to get full insights.
2022-06-20T11:43:46.994759174Z
2022-06-20T11:43:46.995529757Z * Get more help at https://help.gradle.org
2022-06-20T11:43:46.995904924Z
2022-06-20T11:43:46.996231841Z BUILD FAILED in 4m 59s

Step failed

In the pipeline-run.yaml, I have a reference of serviceAccountName: fetebird-service-account which hold the below info

apiVersion: v1
kind: ServiceAccount
metadata:
  name: fetebird-service-account
secrets:
  - name: git-ssh-auth
  - name: gcp-secret

Here the two secrets are referred, the git ssh is working fine, however, GCP authentication is not working.

apiVersion: v1
kind: Secret
metadata:
  name: gcp-secret
  namespace: tekton-pipelines
type: kubernetes.io/opaque
stringData:
  gcs-config: |
    {
    "type": "service_account",
    "project_id": "fetebird-350310",
    "private_key_id": "xxxxxxxxxxxxxxxx",
    "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEv2wSxSCg==\n-----END PRIVATE KEY-----\n",
    "client_email": "xxxxx@xxxxxx-350310.iam.gserviceaccount.com",
    "client_id": "106810669040474152540",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/fetebird%40fetebird-350310.iam.gserviceaccount.com"
    }

[dibyom]

for GCP auth to work you might have to manually use gcloud auth activate-service-account: https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account with the Service Account JSON

Alternatively try using GCP Workload Identity so that you do not have to pass around Service Account JSONs: https://wlyn.ch/posts/gcp-tekton-workload-identity/

(You should also definitely make sure the Service account key you pasted above is disabled since the private key is out in public)

[anandjaisy]

How do I do using tekton with https://cloud.google.com/sdk/gcloud/reference/auth/activate-service-account

[dibyom]

you can run the gcloud command in a step within a task or if you are using workload identity you can ensure that the Kubernetes Service Account specified in the Pipelinerun has access to artifact registry

[anandjaisy]

Can you please share an example? It will be really appreciated