#How to use WithRegistryAuth and GAR

I'm trying to use this method directly because of token expiration in long builds.

• docker can push
• dagger can push without this step
  So am I using this incorrectly?

        // username := "jenkins@foo-dev.iam.gserviceaccount.com"
                // ideally we use a service account here, neither works however
        username := "tony@foo.com"

        // get fresh auth creds because GCP oauth is quite short-lived
        out, err := exec.Command("gcloud", "auth", "print-access-token", "--account", username).CombinedOutput()
        if err != nil {
            return fmt.Errorf("while refreshing auth to registry: %w", err)
        }
        token := rt.Dagger.SetSecret("gcp-oauth-token", string(out))

        registry := "us-central1-docker.pkg.dev"

        // publish to GCR/GAR
        _, err = comp.Final.
            WithRegistryAuth(
                registry,
                username,
                token,
            ).
            Publish(rt.Ctx, uri)

No matter the incantation, I get a 405 method not allowed

failed to export: failed to push us-central1-docker.pkg.dev/foo-dev/eng/foo/backup-db:feature-di-1205-fedx-poc-local: failed to authorize: failed to fetch oauth token: unexpected status from POST request to https://us-central1-docker.pkg.dev/v2/token: 405 Method Not Allowed

Here's what ended up working, note the username is not the same as the account name

        username := "jenkins@foo-dev.iam.gserviceaccount.com"

        // get fresh auth creds becuase GCP oauth is quite short-lived
        out, err := exec.Command("gcloud", "auth", "print-access-token", "--account", username).CombinedOutput()
        if err != nil {
            return fmt.Errorf("while refreshing auth to registry: %w", err)
        }
        token := rt.Dagger.SetSecret("gcp-oauth-token", string(out))

        // publish to GAR
        _, err = comp.Final.
            WithRegistryAuth(
                uri,  // full image URI  (<repo>/<img>:<tag>)
                "oauth2accesstoken",
                token,
            ).
            Publish(rt.Ctx, uri)
        if err != nil {
            return fmt.Errorf("while uploading image to registry (%s) on host: %w", uri, err)
        }

@frigid trout would you say this should be escalated to an engine bug report on github?

hmm, as far as Dagger goes, the above function could use a bit more documentation

w.r.t. expiring tokens, that seems like something the underlying system should be handling the refresh on so I don't need to use this function to begin with

@frigid trout have you tried via the credential helpers route? https://cloud.google.com/artifact-registry/docs/docker/authentication#gcloud-helper

AFAIK since that's a standard docker auth mechanism, it should play along with Dagger also

I suspect there are edge cases with the above work around

yes, that is what we use normally, the issue is that the tokens expire after ~42m and are not refreshed, so long builds or dagger session start failing b/c auth

ok, I see.. seems like dagger doesn't handle the expirations and re-auth then. Seems like a use-case that should be supported

If this is buildkit, I wouldn't be surprised if there was a reproducer if you have a 1h build, unless the auth obtain at pull & push

unless b/c docker makes those steps explicitly separate, you don't really see it, not sure if buildx would have similar workflow to dagger (build+push in one command)

do you perform multiple pushes during your build?
I just can't recall when the actual registry authentication via config.json happens in dagger

I'd "assume" it's evaluated on-demain as soon as publish is called. But not 100% sure about it

I guess that's the difference with buildkit / bake. You only have one push at the very end of the build process whether in Dagger this could happen multiple times during the same pipeline

yes, like 20+, all micro services for a product in one shot from a monorepo