I want to push my image to the container registry of google.
The command I'm using is (executed via Gitlab Ci, variables are working, testing it one stage ahead):
- mvn compile jib:build -Djib.to.image=$registry
-Djib.to.auth.username=_json_key -Djib.to.auth.password=$googleServiceAccount
The permissions of the Service Account is 'Storage Object Administration'.
The error: (BTW: the Spring Boot application is working - testing on stage ahead)
Containerizing application to eu.gcr.io/(project-id), eu.gcr.io/(project-id):version...
[WARNING] Base image 'gcr.io/distroless/java:11' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for eu.gcr.io/(project-id)
[INFO] Getting manifest for base image gcr.io/distroless/java:11...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Using base image with digest: sha256:7fc091e8686df11f7bf0b7f67fd7da9862b2b9a3e49978d1184f0ff62cb673cc
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 17.432 s
[INFO] Finished at: 2020-09-08T17:20:30Z
[INFO] ------------------------------------------------------------------------
Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.5.2:build (default-cli) on project projektarbeit: Build image failed, perhaps you should make sure your credentials for 'eu.gcr.io/(project-id)' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for eu.gcr.io/(project-id): 400 Bad Request
[ERROR] {"errors":[{"code":"UNKNOWN","message":"Unable to parse json key."}]}
As password i tried besides the json file also to parse the key directly beginning with 'MIIEv...'. (without \n and ---BEGIN/END----)
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQI
I really hope, that somebody can help me with this problem.
The value of $googleServiceAccount should be the content of the JSON key file (i.e., not a file path), such as
{
"type": "service_account",
"project_id": "...",
"private_key_id": "...",
"private_key": "-----BEGIN PRIVATE KEY-----\nMII...",
"client_email": "....iam.gserviceaccount.com",
"client_id": "...",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/....iam.gserviceaccount.com"
}
And of course, the content should be properly quoted/escaped if running on a command line.
As officially documented, for example, if you were logging in locally with docker login, it would be
docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME]
The Google Container Registry (GCR) server is complaining (400 Bad Request, meaning you sent an invalid/unexpected request) because it cannot parse the content of $googleServiceAccount as a JSON.
Therefore, I am pretty sure you are not providing the entirety of the JSON content of the key file or something's missing or broken that makes it an invalid JSON structure. Double-check the key file and the variable content.
A common mistake is that $googleServiceAccount is a key file path. In that case, this may work:
mvn compile jib:build \
-Djib.to.image=$registry \
-Djib.to.auth.username=_json_key \
-Djib.to.auth.password="$( cat $googleServiceAccount )"
Note "$( cat ... )" to get the properly escaped/quoted JSON content of the file.