This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Federated Auth Tokens Based Auth to Artifact Registry (Without OAuth Access Tokens)

Posted 3 weeks ago
GiladTrachten
New Member
Reply posted on --/--/---- --:-- AM

My specific issue: I'm trying to authenticate to Google Artifact Registry (GAR) directly using Workload Identity Federation without an intermediary service account (which I'm aware is one of the few options presently available). The Google documentation for Workload Identity Federation recommends the direct federation approach, but GAR seems to specifically require OAuth 2.0 access tokens for authentication. I'm well aware that using a Service Account along along with the Workload Identity Provider fixes this issue. I'm simply interested in exploring an alternative solution that relies solely on Federated auth tokens.

What I've already tried:
1. Instead of providing an OAuth 2.0 Access Token, I've tried configuring the gcloud CLI credential helper after setting up the Workload Identity Federation. It didn't help. When I tried pushing a built Docker container image to GAR, I've received this error:

```

ERROR: failed to solve: failed to push <region/location>-docker.pkg.dev/<project_id>/<ar_repo>/<image_name>:v1: failed to authorize: failed to fetch oauth token: unexpected status from GET request to <valid_address> 403 Forbidden

```

Even though I hadn't provided/mentioned an OAuth Access Token.

2. I've done the same but with the Standalone Docker credential helper. I've received the exact same error, without referencing/providing an OAuth Access Token anywhere.

Error messages:

```

ERROR: failed to solve: failed to push <region/location>-docker.pkg.dev/<project_id>/<ar_repo>/<image_name>:v1: failed to authorize: failed to fetch oauth token: unexpected status from GET request to <valid_address> 403 Forbidden

```

Detailed Questions: 

  1. Is it possible to authenticate to Google Artifact Registry using direct Workload Identity Federation without a service account?
  2. Does GAR specifically require OAuth 2.0 access tokens rather than the federated token format?
  3. If direct authentication isn't supported, could this be considered for a feature enhancement, since the official documentation recommends direct federation?

Assuming I'm correct in thinking that it is an actual limitation of GAR, I think it would be a good idea to address it by adding the option to use Federated auth tokens. However, if I'm mistaken, I'd greatly appreciate your help.

0 1 51
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
kensan
Staff
Reply posted on --/--/---- --:-- AM

Hi @GiladTrachten

Welcome to Google Cloud Community

There is already a feature request in relation to this topic where the objective is to configure WIF so that external identities authenticate directly using their federated principal identity, bypassing the Service Account impersonation step. At this time, there is no estimated completion date for this request. We appreciate your ongoing feedback to enhance the Google Cloud Platform. For reporting new problems, please submit a new issue tracker entry with the details.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

0 Likes
Top Solution Authors
View all