An adventure into solving Jib's push to Artifact Registry authentication error

2023-02-18

Jib¹ is an awesome tool developed by Google to avoid messing around with Dockerfiles and the like. For most cases it worked fine for me, especially when pushing to Googles Container Registry. However, since I’ve started moving to Artifact registry, I’ve encountered a fun little error that is a bit obscured by Jib’s error messages and can lead you on a merry-go-round before you find the actual cause.

The problem

Assuming you have setup a service accound and have configured and authenticated with Docker and the service account has all the necessary permissions to push images to Artifact Registry, you happily execute

./gradlew :my-awesome-application:jib

and cross your fingers that it’ll go through. However, your pipeline sadly fails with a message similar to this:

> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Build 
image failed, perhaps you should make sure your credentials for 
'europe-west1-docker.pkg.dev/****************/my-images/my-awesome-application' 
are set up correctly. 
See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#
what-should-i-do-when-the-registry-responds-with-unauthorized for help

You’re absolutely sure that you’ve configured the authentication correctly, so what gives?

A misleading message

It turns out that the message about authentication issues is rather misleading. The issue in my case was not any missing permissions or authentication errors. Running the same command with additional logging

./gradlew :my-awesome-application:jib --stacktrace

reveals that the issue is, in fact, somewhere else:

org.gradle.api.tasks.TaskExecutionException: Execution failed for task
':my-awesome-service:jib'
...
Caused by: com.google.cloud.tools.jib.http.ResponseException: 404 Not Found 
{
    "errors":[{
            "code":"NAME_UNKNOWN",
            "message":"Repository \"my-images\" not found"
        }]
}

The misleading message is probably not Jib’s fault, since Google seems to return RegistryUnauthorizedException when it can’t find a repository so it does look like that is the issue. However, further down the stacktrace you can find the above message, which tells you that the error is due to the missing registry.

Actually creating the Artifact Repository on GCP solves the issue in no time and pushing works as expected. It turns out that it can be time consuming to assume that repositories will be created automatically, if they are currently missing. Oh well… 🤦

https://github.com/GoogleContainerTools/jib ↩︎