Skip to content

Unauthenticated request error installing feature from private oci registry #457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
derektamsen opened this issue Apr 21, 2025 · 2 comments · May be fixed by #458
Open

Unauthenticated request error installing feature from private oci registry #457

derektamsen opened this issue Apr 21, 2025 · 2 comments · May be fixed by #458

Comments

@derektamsen
Copy link

I am having an issue installing a devcontainer feature in a coder workspace. The feature image is pushed to a private gcp artifact registry repository. The identity of the kubernetes service account is configured per the kaniko docs for workload identity authentication and the gcp service account has permission to pull images from the repo.

This is the log from coder (some lines redacted):

🐳 Queued pod from ReplicaSet: coder-8ad41073-62a9-46f8-ba22-dbb0765d701d-5f6db78945
🐳 Created pod: coder-8ad41073-62a9-46f8-ba22-dbb0765d701d-5f6db78945-wc884
Created pod: coder-8ad41073-62a9-46f8-ba22-dbb0765d701d-5f6db78945-wc884
Successfully assigned coder/coder-8ad41073-62a9-46f8-ba22-dbb0765d701d-5f6db78945-wc884 to <redacted>
AttachVolume.Attach succeeded for volume "pvc-528e230d-66bd-42ef-b5f2-0dc38a1f51bb" 
Pulling image "ghcr.io/coder/envbuilder:latest"
Successfully pulled image "ghcr.io/coder/envbuilder:latest" in 213ms (213ms including waiting). Image size: 32816815 bytes.
Created container: dev
Started container dev
envbuilder v1.1.0+a3a6a83 - Build development environments from repositories in a container
Using base64 encoded Docker config
Set DOCKER_CONFIG to /.envbuilder/.docker
Wrote Docker config JSON to /.envbuilder/.docker/config.json
#1: 📦 Cloning https://<redacted>.git to /workspaces/project...
#1: 🔒 Using HTTP basic authentication!
#1: Parsed Git URL as "https://<redacted>.git"
#1: 📦 The repository already exists! [2.577789ms]
No Dockerfile specified, looking for a devcontainer.json...
Building in Devcontainer mode using /.devcontainer/devcontainer.json
Restored DOCKER_CONFIG to 
error: compile devcontainer.json: extract feature us-docker.pkg.dev/redacted/directory/someprivatefeature:1: fetch feature image us-docker.pkg.dev/redacted/directory/someprivatefeature:1: GET https://us-docker.pkg.dev/v2/token?scope=repository%redacted%directory%someprivatefeature%3Apull&service=: DENIED: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/redacted-project/locations/us/repositories/redacted-repo" (or it may not exist)

My .devcontainer/devcontainer.json contains the following (updated to reflect the redacted log):

{
	"features": {
		"ghcr.io/devcontainers/features/github-cli:1": {
			"installDirectlyFromGitHubRelease": true,
			"version": "latest"
		},
		"ghcr.io/devcontainers/features/terraform:1": {
			"installTerraformDocs": true,
			"version": "1.11.4",
			"tflint": "latest",
			"terragrunt": "latest"
		},
		"ghcr.io/devcontainers/features/aws-cli:1": {
			"version": "latest"
		},
		"us-docker.pkg.dev/redacted/directory/someprivatefeature:1": {}
	},
	"image": "mcr.microsoft.com/devcontainers/base:bookworm",
	"name": "<redacted>",
	"runArgs": ["--env-file", ".devcontainer/devcontainer.env"]
}

The docker config file that is passed to .devcontainer/devcontainer.json contains the necessary credHelpers to support workload identity authentication to us-docker.pkg.dev.

{
  "auths": {},
  "credHelpers": {
    "gcr.io": "gcr",
    "us-central1-docker.pkg.dev": "gcr",
    "us-docker.pkg.dev": "gcr",
    "us.gcr.io": "gcr"
  }
}

envbuilder version: envbuilder v1.1.0+a3a6a83
@derektamsen
Copy link
Author

Digging into this issue more I suspect the primary issue is that the feature image pull request from envbuilder does not use any authentication. The relevant portion:

DENIED: Unauthenticated request. Unauthenticated requests do not have permission

Tracing this back from envbuilder -> kaniko -> go-containerregistry I believe this means authentication is not being passed at all to the request to pull the image from the registry.

derektamsen added a commit to derektamsen/envbuilder that referenced this issue Apr 22, 2025
@derektamsen
feat: add support for features in registries that require authentication
2fc88bc 
Add support for fetching feature layers from registries that require
authentication. The authentication pattern mimics what is done in other
places in the codebase. It will search the running environment for registry
credentials and use them to authenticate.

To setup authentication follow the [same documentation as for pulling](https://github.com/coder/envbuilder/blob/main/docs/container-registry-auth.md)
other images from private registries.

fixes coder#457
@derektamsen derektamsen linked a pull request Apr 22, 2025 that will close this issue
Open
@derektamsen
Copy link
Author

I made an attempt in #458 to add support for pulling feature images from private registries.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add support for features in registries that require authentication derektamsen/envbuilder
1 participant
@derektamsen