getting digest: UNAUTHORIZED: \"access to the requested resource is not authorized\""

[dkirrane]

Trying out the skaffold-jib support but hitting the following:

skaffold build

...

[INFO] Container entrypoint set to [java, -cp, /app/resources:/app/classes:/app/libs/*, com.demo.Application]
[INFO]
[INFO] Built and pushed image as nexus-mycompany.com/my-demo:efa216d171eacbc419bdb37164922744
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 18.920 s
[INFO] Finished at: 2018-10-15T11:03:11+01:00
[INFO] ------------------------------------------------------------------------
time="2018-10-15T11:03:12+01:00" level=fatal msg="build step: building [nexus-mycompany.com/my-demo]: getting digest: nexus-mycompany.com/my-demo:efa216d171eacbc419bdb37164922744: 
getting digest: UNAUTHORIZED: \"access to the requested resource is not authorized\""

Expected behavior

skaffold build completes sucessfully

Actual behavior

UNAUTHORIZED error

Information

• Skaffold version: version: v0.16.0
• Operating system: Windows 10 using latest GitBASH
• Contents of skaffold.yaml:

apiVersion: skaffold/v1alpha4
kind: Config

build:
  artifacts:
  - image: nexus-mycompany.com/my-demo
    jibMaven: 
      profile: prod
  tagPolicy:
      gitCommit: {}

deploy:
  helm:
    releases:
    - name: my-demo
      chartPath: helm
      valuesFiles:
        - values.yaml
      wait: true
      namespace: default
      version: "1.0"

Steps to reproduce the behavior

1. create simple spring boot 2 app (version 2.0.5.RELEASE)
2. added jib maven plugin to pom.xml

            <plugin>
                <groupId>com.google.cloud.tools</groupId>
                <artifactId>jib-maven-plugin</artifactId>
                <version>0.9.11</version>
            </plugin>

3. skaffold build

[dgageot]

ping @GoogleContainerTools/java-tools

[briandealwis]

@dkirrane how have you authenticated to your nexus registry? via docker login, or via ~/.m2/settings.xml? See the following section for authentication with Jib. (That message is a skaffold error, not jib)

[loosebazooka]

It seems like this is step where skaffold is setting the tag. @coollog ? Skaffold's registry client might need auth info to the registry.

[coollog]

Yea, this looks to be a discrepancy between the auth info that Skaffold uses vs the auth info that Jib uses. @dkirrane - which authentication method are you using with Jib? (credential helper, settings.xml, or Docker login?)

[dkirrane]

I'm using settings.xml

<settings>
  ...
  <servers>
    ...
    <server>
      <id>nexus-mycompany.com</id>
      <username>MY_USERNAME</username>
      <password>MY_PASSWORD</password>
    </server>
  </servers>
</settings>

[dkirrane]

Also, I've update to skaffold v0.18.0 & jib 0.10.0
I tried switch to wincred credential helper (docker-credential-wincred.exe) as below

            <plugin>
                <groupId>com.google.cloud.tools</groupId>
                <artifactId>jib-maven-plugin</artifactId>
                <version>0.10.0</version>
                <configuration>                    
                    <to>
                        <image>${docker.image.prefix}/${project.artifactId}</image>
                        <credHelper>wincred</credHelper>
                    </to>
                </configuration>                
            </plugin>

mvn compile jib:build is successful but skaffold build fails with same error.

Is there some setting I'm missing to setup auth for skaffold?

[coollog]

I believe skaffold actually fetches auth from the Docker config in order to retag the image with the skaffold tagging method. Therefore, you would need to either do a docker login with your credentials or edit your Docker config to use your wincred credential helper. I believe you may want to set the credsStore:

{
  "credsStore": "wincred"
}

@GoogleContainerTools/java-tools We might want to look into potentially adding a Jib goal/task that can expose the credentials Jib uses to Skaffold to use with the tagging logic, or having Skaffold somehow pull the same credentials without needing a Docker config.

[dgageot]

Fixed with #548

[briandealwis]

Fixed by #1475

[dkirrane]

@dgageot @briandealwis - I'm still hitting this issue on skaffold v0.23.0. I'm obviously missing something but not sure what...

~/.docker/config.json

{
	"auths": {
		"https://index.docker.io/v1/": {},
		"nexus.mycompany.com": {}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.0 (windows)"
	},
	"credsStore": "wincred",
	"credHelpers": {
		"asia.gcr.io": "gcr",
		"eu.gcr.io": "gcr",
		"gcr.io": "gcr",
		"staging-k8s.gcr.io": "gcr",
		"us.gcr.io": "gcr"
	}
}

The projects pom.xml has Jib

            <plugin>
                <groupId>com.google.cloud.tools</groupId>
                <artifactId>jib-maven-plugin</artifactId>
                <version>1.0.0</version>
                <configuration>
                    <from>
                        <image>gcr.io/distroless/java</image>
                    </from>
                    <to>
                        <image>nexus.mycompany.com/my-service</image>
                        <credHelper>wincred</credHelper>
                        <tags>
                            <tag>latest</tag>
                        </tags>
                    </to>
                </configuration>
            </plugin>

I've logged into Nexus

$ docker login nexus.mycompany.com
Username: me
Password:
Login Succeeded

Skaffold build is successful until this final line

skaffold build -v debug
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  16.690 s
[INFO] Finished at: 2019-02-16T21:04:33Z
[INFO] ------------------------------------------------------------------------
FATA[0019] build failed: building [nexus.mycompany.com/my-service]: build artifact: getting digest: UNAUTHORIZED: "access to the requested resource is not authorized"

I can see the credentials for Nexus stored in Windows Credentials Manager

[dkirrane]

Hi all, looks like this needs to /reopen

I've found that Skaffold doesn't work with wincred docker-credential-helper. However it does work with gcr credhelper so that's fine

When using wincred the error: getting digest: UNAUTHORIZED: \"access to the requested resource is not authorized\"

Workaround:

1. docker logout nexus.mycompany.com
2. remove wincred from ~/.docker/config.json
3. docker login nexus.mycompany.com --username x --password y
4. skaffold run now works

The username & password get stored in ~/.docker/config.json without using wincred e.g.

{
	"auths": {
		"nexus.mycompany.com": {
			"auth": "EncodedUsernamePasswordHere"
		}
	},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/18.09.0 (windows)"
	},
	"credHelpers": {
		"asia.gcr.io": "gcr",
		"eu.gcr.io": "gcr",
		"gcr.io": "gcr",
		"staging-k8s.gcr.io": "gcr",
		"us.gcr.io": "gcr"
	}
}

[balopat]

Reopening, thank you for looking into deeper!

[jonjohnsonjr]

This is probably a bug with how we interact with wincred or the default cred helper. I don't have a windows machine, so it's hard for me to debug, but I would expect it to work. We create a cred helper from credsStore here:
https://github.com/google/go-containerregistry/blob/bada66e31e55b96029f4e456f8eb107f58319629/pkg/authn/keychain.go#L128-L131

Which then calls this:
https://github.com/google/go-containerregistry/blob/bada66e31e55b96029f4e456f8eb107f58319629/pkg/authn/helper.go#L62-L102

So something weird is happening there.

[balopat]

I will start to look into windows bugs including this, as we are getting a windows machine now...

[dgageot]

I'm going to close this issue because it seems to work ok now. Feel free to reopen if you still see the issue.