bootBuildImage fails to authenticate with GCP Artifact Registry using Docker credential helper

[lnhrdt]

I'm trying to transition some of our container image builds from using the pack CLI to using Spring Boot's bootBuildImage Gradle task.

Previously, our CI pipeline (GitHub Actions) authenticated to Google Artifact Registry using:

gcloud auth configure-docker <REGISTRY>

This sets a Docker config like:

{
  "auths": {
    "https://index.docker.io/v1/": {
      "auth": "<redacted>"
    }
  },
  "credHelpers": {
    "<REGISTRY>": "gcloud"
  }
}

Which works perfectly with pack build --publish, which successfully pushes to Artifact Registry.

However, when switching to Spring Boot's bootPublishImage, the push fails with:

Error response received when pushing image: denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.uploadArtifacts" on resource "REDACTED" (or it may not exist)

From what I understand, the plugin is supposed to support Docker credential helpers (as mentioned in the docs), but it seems like it may not actually invoke the helper (docker-credential-gcloud) during the push.

Is gcloud explicitly supported as a credential helper in this context? The documentation wasn't specific about which helpers are supported, and I wasn't able to get this working without switching to static credentials. Would appreciate any clarification or guidance here.

[philwebb]

@lnhrdt Credential helper support was added in Spring Boot 3.5, can you confirm that that's the version you're using?

[lnhrdt]

@philwebb oh that's got to be it. We just had to downgrade to 3.4.6 for an unrelated other issue. Thank you for the quick response here.

Assuming 3.5.0 is all we need, I'll close this issue. If for some reason we encounter the same issue once we upgrade, I'll reopen.

[lnhrdt]

@philwebb we upgraded to 3.5.0 today and can confirm that credential helper support works great.

Again, really appreciate the quick response. Even though it ended up being an issue on our end.