Deploy React app using GitHub actions, Workload identity and Cloud Run

Google Cloud Compute Infrastructure
1

Hello everyone,
I hope someone can help

When I try to do a docker push to an Artifact Registry repository using GitHub Actions, I get this error:

Unauthenticated request. Unauthenticated requests do not have permission “artifact registry.repositories.upload Artifacts” on resource “projects/react-cloud-run-deploy-452614/locations/us/repositories/gcr.io” (or it may not exist)

This is the GitHub Actions YAML:

SalomonGuttmann_3-1741354750758.png
SalomonGuttmann_3-1741354750758.png867×892 54 KB

I add the following permissions in the service account gcp-github-actions@react-cloud-run-deploy-452614.iam.gserviceaccount.com:

SalomonGuttmann_1-1741354402051.png
SalomonGuttmann_1-1741354402051.png681×742 118 KB

I create also an identity pool and an identity provider

SalomonGuttmann_2-1741354657314.png
SalomonGuttmann_2-1741354657314.png752×187 13.3 KB

Thanks for any advice

2

Hi @SalomonGuttmann ,

Welcome to Google Cloud Community!

It looks like the error that you are encountering may come from the GitHub Action Workflow, it may not be properly authenticated to push some images to Artifact Registry. There are ways that you might resolve it:

  • Ensure Correct IAM Roles
    Run these commands in Google Cloud SDK:

    gcloud projects add-iam-policy-binding react-cloud-run-deploy-452614 \

    --member="serviceAccount:gcp-github-actions@react-cloud-run-deploy-452614.iam.gserviceaccount.com" \

    --role="roles/iam.workloadIdentityUser"

gcloud projects add-iam-policy-binding react-cloud-run-deploy-452614 \

    --member="serviceAccount:gcp-github-actions@react-cloud-run-deploy-452614.iam.gserviceaccount.com" \

    --role="roles/artifactregistry.writer"​

  • Verify Workload Identity Federation Setup
    In your GitHub Actions YAML, make sure authentication is configured correctly:

    - name: 'Authenticate to Google Cloud'

  uses: 'google-github-actions/auth@v1'

  with:

    workload_identity_provider: 'projects/21489804540/locations/global/workloadIdentityPools/tutorial-github-pool/providers/tutorial-github-provider'

    service_account: 'gcp-github-actions@react-cloud-run-deploy-452614.iam.gserviceaccount.com'​

  • Ensure Correct Artifact Registry URL
    Use the correct format for pushing images:

    - name: Build and Push Image

  run: |

    docker build -t europe-west6-docker.pkg.dev/react-cloud-run-deploy-452614/gcr-repo/${{ github.sha }} .

    docker push europe-west6-docker.pkg.dev/react-cloud-run-deploy-452614/gcr-repo/${{ github.sha }}​

Try to re-run the workflows once the changes above have been made.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

3

Hi Google,

Thanks for Feedback

I used your recommendations, and unfortunately it didn’t work.

The Commands in Google Cloud SDK according to GitHub Action Workflow, works:

[image: image.png]

But command docker push Still throw an error:

[image: image.png]

Du you have another suggestion?

Kind regards Salomon

4

Hello Google,
An hour before I send via mail one reply, please ignore this.
My Reply
I have implemented and tested your recommendations, but the error still occurs.

On the yaml File I add this:

SalomonGuttmann_0-1741858514037.png

And evaluates whether the principal currently has access to the specified resource:

SalomonGuttmann_1-1741858598400.png
SalomonGuttmann_1-1741858598400.png813×635 49.4 KB

And the repository react-gcp-deploy has those roles:

SalomonGuttmann_2-1741858697167.png
SalomonGuttmann_2-1741858697167.png872×751 66.6 KB

But the docker push command throw this error:

SalomonGuttmann_3-1741858797707.png
SalomonGuttmann_3-1741858797707.png699×343 41.1 KB

Do you have any other suggestions?

Kind regards Salomon

5

Hello everyone,
Is anyone working on my case?

Regards Salomon