I am attempting to use a gitlab runner to build an image in GKE and then push that image to GCR. This always fails and outputs an AWS error at first.
My understanding is that the building pod is created within the same namespace as my GCR appropriate service account should push. The pod seems to not be using workload identity or failing for some other reason.
Gitlab Yaml
buildmygcr:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
tags:
- cluster
- kubernetes
script:
- /kaniko/executor --verbosity debug --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination gcr.io/myproject/test:test --cache=false
Build Error
DEBU[0000] Copying file /builds/user/test/Dockerfile to /kaniko/Dockerfile
E0403 20:18:16.646782 21 aws_credentials.go:77] while getting AWS credentials NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "gcr.io/myproject/test:test": creating push check transport for gcr.io failed: GET https://gcr.io/v2/token?scope=repository%myproject%2Ftest%3Apush%2Cpull&service=gcr.io: UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
Cleaning up file based variables
00:00
ERROR: Job failed: command terminated with exit code 1
Workload Identity Test shows the proper account for the namespace
root@workload-identity-test:/# gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
* mysvcaccount@myproject.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account `ACCOUNT`
