Gcr private image pull auth: giving mapping values error - GCR google repository login only working with manual docker login call, not circleci auth: keyword

Build Environment
1

Hello,

I’ve been trying for a few days to get the “authenticating to Google container registry” directions working: https://circleci.com/docs/2.0/google-auth/

I copied and pasted the example found at that link and keep checking my yaml syntax but I keep getting the error: “Error parsing config file: yaml: line 5: mapping values are not allowed in this context” . I did successfully pull the image and run it using the machine executor step that involves a manual docker login call here: https://circleci.com/docs/2.0/private-images/ to confirm that my google environment service key was working.

Using circleci’s authentication to enter into the docker container would be much less clunky than manually pulling/running the private image and then sending commands to the running docker container.

I’m providing the yaml stubs that are working, and not working (I did scrub some sensitive information that is not relevant to the actual config syntax and are build and deploy code calls.)

First, the syntax that is not working:
#trying to match gcr syntax here: https://circleci.com/docs/2.0/google-auth/

I tried several tags including the sha digest tag for the image that I had created earlier for the pushed image, and none worked.

version: 2 
jobs:
    build:
        docker:
            - image: us.gcr.io/my-account/image1:v1.0.4 
                auth:
                    username: _json_key
                    password: $MY_GCLOUD_SERVICE_KEY

#rest of my commands - gave a stub to see flow of code.
        working_directory: ~/my_repo/
        steps:
            - checkout
            - run:
                shell: /bin/bash -e
                command: |
                ......(commands/rest of code that is not being flagged by circleci as error)

This is the working machine version login. Note that I first had to save my GCR/google cloud
project key into a json file for the _json_key to work. I am wondering if just passing the environment
variable above is the bug?

I also found that I needed us.gcr.io and not just gcr.io to tag the gcr repo for the manual login version.

version: 2 
jobs:
    build:
        machine: true
        working_directory: ~/my_repo/
 
        steps:
            # Docker is preinstalled, along with docker-compose
            - checkout

          # start proprietary DB using private Docker image
          # https://medium.com/google-cloud/using-googles-private-container-registry-with-docker-1b470cf3f50a
        #service key is circleci environment variable
            - run: |
                echo $MY_GCLOUD_SERVICE_KEY | base64 -d > servicekey.json
                docker login -u _json_key -p "$(cat servicekey.json)" https://us.gcr.io
                docker run -d --name db  us.gcr.io/my-account/image1:v1.0.4

Any tips? I know oftentimes circleci errors concern yaml. I’ve spent quite a while trying to root out where the yaml error could be around the auth: step though and putting the code into a yaml validator isn’t giving clues.

2

Use this parser to figure out mistakes, it’s mighty useful. Your auth key needs to be unindented by two spaces in order to be considered to be part of the parent docker object.

3

Hi John,

Thanks - so even though all my other indents are 4 spaces, I can only have two spaces to indent the auth: …interesting. That doesn’t follow the indentation example on circleci in the sense that all indentations were of the same number of spaces. I was not aware that certain indentations had to be half the number of spaces of other indentations for some Yaml syntax. I’ll use the parser link you provided in the future as the one I found online was not catching this.

4

Thanks for resolving the yaml syntax It turns out the json key as I suspected in my notes above it still an issue when passing it into circleci as an environment variable. The error now is “Unable to parse json key.”

Given that the environment variable works when written to a json key file in my second more manual example above, I’m not sure how to resolve this further using circleci’s syntax where you pass the json key as an environment variable.

The updated yaml below per your suggestion does pass the yaml parser without errors, however:

version: 2 
jobs:
    build:
        docker:
            - image: us.gcr.io/my-account/image1:v1.0.4 
              auth:
                  username: _json_key
                  password: $MY_GCLOUD_SERVICE_KEY
5

FYI this circleci thread seems to imply the JSON key should NOT be encoded now: JSON key should not be encoded by smart-alek · Pull Request #2195 · circleci/circleci-docs · GitHub . but this is how I get it to work above. I set up my key using earlier documentation that encouraged the base64 formatting; I just downloaded a new service key and kept it in the JSON format as an environment variable and now the code is working and pulling my image from the gcr repository.

6

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.