0

I have a project from which I want to copy few container images to another project using a node application. I use container-image-builder module for the same. The copying works with service account credentials,but I want to use user account credentials. The Oauth credentials allow only copying of images within the project but not across multiple projects as OAuth credentials restricts to a single project per application. Is there any other solution so that I can use the user account? Tried the following:

app.get('/demo',function(req,res){
        imageCopy();
        ...
    });

app.listen(8080);


async function imageCopy(){
  var imgName = 'us.gcr.io/myProj/hello-world';
  var trgtImg = 'us.gcr.io/targetProj/hello-world';
  var _clientOptions = {
    clientId: "xxxx.apps.googleusercontent.com",
    clientSecret: "yyyy",
    redirectUri: "https://domain/XYZ"
  }
  var auth =  imgBuilder.auth(imgName,"push,pull",{
    'us.gcr.io':{
        clientOptions: _clientOptions      
    }
  });
  auth.then(async function(credentials){   
    const image = new imgBuilder.Image(imgName,trgtImg,credentials);
    const result = await image.save(['dev-latest']);    
    console.log(result);
  });

}

and also extracted the token and sent the same 

 var auth = new google.auth.OAuth2(
          config.google.clientId,
          config.google.clientSecret,
          config.google.redirectUri
 };

 function initialize(appRouter, serviceListener)
{
    log.debug('initialize');  
    appRouter.get('/XYZ/login',renderLoginPage);    
    appRouter.get('/XYZ', proceed );

    listener = serviceListener;
}

function renderLoginPage(req, res){
        res.render('auth.html',{ 
          title: "xxxx",
          ....
          login_btn_description: "Login with Google",
          login_link: generateGoogleURL()
           });
}

function generateGoogleURL(){
     return auth.generateAuthUrl({
          access_type: 'offline',
          prompt: 'consent',
          scope: appScope
        });
}

function proceed(req,res){
  const qs = new url.URL(req.url,config.devhostname);
  const code = qs.searchParams.get('code');  
  getGoogleAccountFromCode(code).then(function(){
   imageCopy();
    ...
  }).catch(console.error);

}

async function getGoogleAccountFromCode(code) {
        const data = await auth.getToken(code);
        tokens = data.tokens;
        auth.setCredentials(tokens)
}

async function imageCopy(){
  var imgName = 'gcr.io/myProj/hello-world';
  var trgtImg = 'gcr.io/trgtProj/hello-world';
  const image = new authParam.Image(imgName,trgtImg,{'gcr.io':{
      clientOptions: tokens
     }
    });
    const result = await image.save(['dev-latest']);       
}

Oauth credentials is restricted for single project , so what credentials of user-account should I use?

amv
  • 1
  • 1
  • You want to copy some container images from one project to another. You are able to do so using a service account but you want to do the same thing using an "user" account. Correct? Have you tried adding the same role that the service account has to the user account? (when copying from one project to another, the identity credentials need to have, at least, read permissions in one project and write permissions in the other, but depending on the resource it could need other permissions as well. ). Also, which error are you encountering when using the user account? – Mayeru Jul 30 '19 at 08:07
  • Your are right. I had given the owner permission to the user account and had given the appropriate scopes during the OAuth flow. I understand that OAuth flow is restricted to a specific project and hence I receive the 403 Forbidden error while uploading the image layers at https://github.com/google/nodejs-container-image-builder/blob/9e85d2fbb44d09f31aa73bdb98479ede879757c7/src/registry.ts#L274 – amv Jul 31 '19 at 07:34
  • I know it is possible to use user account that has appropriate permissions to copy images to multiple projects using docker commands in shell script or gcloud. But my question is , is this possible using node js APIs for user accounts? – amv Jul 31 '19 at 07:34
  • To clarify, you have already successfully done this using user accounts through gcloud commands? if so, then the issue would not be the permissions itself but may be a misconfiguration when you are setting up the "container-image-builder" authentication to the Google Container Registery. -> https://github.com/google/nodejs-container-image-builder/tree/9e85d2fbb44d09f31aa73bdb98479ede879757c7#docker-registry-auth – Mayeru Jul 31 '19 at 11:18
  • I install gcloud sdk, authenticate using the user account and also configure docker. Then run the script with docker commands. The images are successfully copied. I have also gone through the link that you have mentioned, but other than OAuthCredentials, I do not see which option I have to pass to copy images to different project using the same user account credentials.I did use service account and it works,but I want to know if this is possible with user account.I believe if we can do this with docker commands,then we must be able to do this using APIs. But I do not know which option to use. – amv Aug 01 '19 at 06:27
  • I referred https://github.com/googleapis/google-auth-library-nodejs/blob/master/src/auth/googleauth.ts#L64 for sending the options – amv Aug 01 '19 at 06:29
  • I see, in that case i think i will need to try to reproduce what you are trying to do in order to clearly see what could be the misconfiguration (from what I have understood you are able to do the copy with the user account so the permissions shouldn't be an issue if you authenticate with the same user account). Could you edit your question with the nodejs code you are using and where are you running it from (remember to redact any sensitive data that could be in the code. i.e your project id, passwords, keys, ... ) – Mayeru Aug 01 '19 at 11:33
  • You can use the same service account in multiple projects. It is just an IAM identity that can be assigned to a project/folder/organization with roles. – John Hanley Aug 01 '19 at 21:19
  • @John Hanley, I know that same service account can be used. My question is if same user account can be used and if yes how? – amv Aug 02 '19 at 09:14
  • @Mayeru , updated the question with code. – amv Aug 02 '19 at 09:14

1 Answers1

0

As you may see in the Google Authentication Overview it's highly recommended to use the service account instead of a user account in your app, also at some situations the user accounts are not allowed as authenticating method, this could be why you can not use the user account.

Adad O.
  • 11
  • 2