时间戳

首页 > 解决方案 > Jib - Google Container Registry:无法通过错误“无法解析 json 密钥”向注册表进行身份验证

google-cloud-platform - Jib - Google Container Registry:无法通过错误“无法解析 json 密钥”向注册表进行身份验证

问题描述

我想将我的图像推送到谷歌的容器注册表。

我正在使用的命令是(通过 Gitlab Ci 执行,变量正在工作,提前一个阶段对其进行测试):

- mvn compile jib:build -Djib.to.image=$registry 
  -Djib.to.auth.username=_json_key -Djib.to.auth.password=$googleServiceAccount

服务帐户的权限是“存储对象管理”。

错误:(顺便说一句:Spring Boot 应用程序正在运行 - 在前面的阶段进行测试)

Containerizing application to eu.gcr.io/(project-id), eu.gcr.io/(project-id):version...
 [WARNING] Base image 'gcr.io/distroless/java:11' does not use a specific image digest - build may not be reproducible
 [INFO] Using credentials from <to><auth> for eu.gcr.io/(project-id)
 [INFO] Getting manifest for base image gcr.io/distroless/java:11...
 [INFO] Building dependencies layer...
 [INFO] Building resources layer...
 [INFO] Building classes layer...
 [INFO] Using base image with digest: sha256:7fc091e8686df11f7bf0b7f67fd7da9862b2b9a3e49978d1184f0ff62cb673cc
 [INFO] 
 [INFO] ------------------------------------------------------------------------
 [INFO] BUILD FAILURE
 [INFO] ------------------------------------------------------------------------
 [INFO] Total time:  17.432 s
 [INFO] Finished at: 2020-09-08T17:20:30Z
 [INFO] ------------------------------------------------------------------------

Failed to execute goal com.google.cloud.tools:jib-maven-plugin:2.5.2:build (default-cli) on project projektarbeit: Build image failed, perhaps you should make sure your credentials for 'eu.gcr.io/(project-id)' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for eu.gcr.io/(project-id): 400 Bad Request
 [ERROR] {"errors":[{"code":"UNKNOWN","message":"Unable to parse json key."}]}

作为密码,除了json文件之外,我还尝试直接解析以'MIIEv ...'开头的密钥。(没有 \n 和 ---BEGIN/END----)

"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQI

我真的希望有人可以帮助我解决这个问题。

标签: google-cloud-platformgitlab-cigoogle-container-registryjib

解决方案

的值$googleServiceAccount应该是JSON密钥文件的内容(即不是文件路径),比如

{
  "type": "service_account",
  "project_id": "...",
  "private_key_id": "...",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMII...",
  "client_email": "....iam.gserviceaccount.com",
  "client_id": "...",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/....iam.gserviceaccount.com"
}

当然,如果在命令行上运行,内容应该被正确引用/转义。

正如官方记录的那样,例如,如果您使用 本地登录docker login,它将是

docker login -u _json_key -p "$(cat keyfile.json)" https://[HOSTNAME]

Google Container Registry (GCR) 服务器正在抱怨(400 Bad Request,这意味着您发送了一个无效/意外的请求),因为它无法将 的内容解析$googleServiceAccount为 JSON。

因此,我很确定您没有提供密钥文件的全部 JSON 内容,或者某些内容丢失或损坏,从而使其成为无效的 JSON 结构。仔细检查密钥文件和变量内容。

一个常见的错误是$googleServiceAccount密钥文件路径。在这种情况下,这可能会起作用:

mvn compile jib:build \
  -Djib.to.image=$registry \
  -Djib.to.auth.username=_json_key \
  -Djib.to.auth.password="$( cat $googleServiceAccount )"

请注意"$( cat ... )"获取文件的正确转义/引用的 JSON 内容。

推荐阅读