Hello,
I have a CI running on GKE with WLI enables that works currently with Kaniko and can publish to my google artifact registry.
I would like to move to buildpacks and I read that googgle buildpacks uses google cloud libraries that leverage ADC flow so it should directly publish like kaniko is doing.
When I try the cnb/lifecycle/creator it fails at analyzer step with error authenticating to the registry and not having the correct permission… but the KSA has the correct permission via WLI.
So my question is : is buildpacks really leveraging ADC flow ?
Can I have some help ?
I’d rather not want to mount a volume on my CI node or create a secret for storing my ServiceAccount json as it’s not secure, furthermore my organization do not allow for ServiceAccount key creation.
Yes, Google Buildpacks can leverage Application Default Credentials (ADC), but the cnb/lifecycle/creator must run in an environment where ADC can access the correct identity. In your GKE CI with Workload Identity (WLI), ensure that the Kubernetes service account (KSA) is correctly mapped to the Google service account (GSA) with Artifact Registry permissions and that the buildpacks process inherits the KSA’s identity. The authentication error usually occurs when the creator runs outside the WLI context or doesn’t see the projected credentials. No JSON key or volume mount is needed—just verify the KSA→GSA mapping and that the container runs with the correct KSA so ADC works automatically.
Yes, Google Buildpacks can use Application Default Credentials (ADC) when running in an environment where ADC can access the correct identity. In GKE with Workload Identity, ensure the Kubernetes service account is properly mapped to the Google service account with Artifact Registry permissions, and that the buildpack process runs under this KSA. Authentication errors usually occur if the creator runs outside the WLI context or lacks projected credentials—no JSON key is needed if the KSA→GSA mapping and permissions are correctly configured.
Hello @Grace_Miller, thanks for your response and indeed Google Buildpacks (and other BP packages) support ADC. Everything was setup correctly (GSA/KSA/WLI) but I needed to pass the Auth information to buildpack correctly, which ended up being the following command: before_script: #create docker credentials via gcloud cli
- gcloud auth configure-docker MY_REGION-docker.pkg.dev
( ref https://cloud.google.com/sdk/gcloud/reference/auth/configure-docker )
Then it ran smoothly
I hope this will help others implementing BP into a CI workflow on GKE and using Google artifact registry.
