Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Upgrading from 5 to 6 causes API Key to stop working
-
We recently upgraded from ProGet 5.3.38 to 6.0.6. It worked fine for a few days, but then part of our automation tried to use an API Key to check if a container exists in an repository exists. This check was working fine before we upgraded, but now is failing.
Here is the command that was run (in PowerShell):
$manifestResponse = Invoke-WebRequest -Uri "https://myProGetServer.net/v2/MyFeed/PackageLibraryHere/PackageNameHere/manifests/1.0.0" -Method GET -Headers @{"X-ApiKey"="___API_KEY_HERE__";"accept"="application/vnd.docker.distribution.manifest.v2+json"}
Now when this runs it returns:
{"errors":[{"code":"UNAUTHORIZED","message":"Anonymous is not permitted to perform the Feeds_ViewFeed task for the current scope.","detail":[{"Type":"repository","Name":"MyFeed/PackageLibraryHere/PackageNameHere","Action":"pull"}]}]}
Prior to upgrading this API Key had a user that it ran as. After upgrading to version 6, it seems to have been auto-converted to a "Personal" API Key. It still has the correct user on it post upgrade and the API Key seems to be unchanged (though I can't really verify that).
To see if it was specific to this user, I created a Feed API Key (assigned to my feed). When I tried the call with that API Key (which looks longer than the old ones), it still failed with the same "Anonymous is not permitted" error.
I want to reiterate that this was tested and was all working fine before we upgraded to version 6.
How can I get this call to check if a Container is already uploaded working correctly again?
-
Hi @Stephen-Schaff ,
The API Keys changes in ProGet v6 involved changing some of the authentication code, so seeing bugs/regressions where a connected systems (build/CI server) reports authentication errors is not unexpected.
Based on the error message you're sending, it looks like you were using an
X-ApiKey
header to authenticate to the Docker registry API. That actually wasn't supposed to be supported before (Docker API requires token-based authentication), and must have only worked because of a bug / unclear specification in our old authentication code...So the options from here:
- Allow anonymous access to view the feed
- Modify your script to use Docker's token-based authentication
- Rollback to v5
We can consider adding/documenting support for using
X-ApiKey
header in the Docker API, but as it's not possible at the moment....
-
@atripp do you have any docs on how to do this token authentication with proget? I just need a way to curl or otherwise do a GET to see if the container is there already.
-
@Stephen-Schaff I'm afraid I don't... it's a bit tricky to use, since you need to request a bearer token first and then send that in a header value.
https://docs.docker.com/registry/spec/auth/token/#how-to-authenticate
-
I got this working. Here is my PowerShell script to get a Docker Token from ProGet:
function GetDockerToken() { param ( [string] $packageName = $(throw "-packageName is required. This is the namespace and image name. For example: library/my-container-image"), [string] $feed = $(throw "-feed is required"), [string] $actionToAuthorize = $(throw "-action is required. This is the docker action to be authorized (pull, push, delete, etc)"), [string] $apiKey = $(throw "-apiKey is required"), [string] $progetBaseUrl = $(throw "-progetBaseUrl is required. "), [string] $service ) if ($service -eq "") { # This expects that $progetBaseUrl is prepended with "https://" If you are using "http://" then change 8 to 7 below. $service = $progetBaseUrl.SubString(8,$progetBaseUrl.Length-8) } $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f "api","$apiKey"))) $response = Invoke-WebRequest -Uri "$progetBaseUrl/v2/_auth?service=$service&scope=repository`:$feed/$packageName`:$actionToAuthorize" -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} if ($response.StatusDescription -eq "OK") { $token = ($response.Content | ConvertFrom-Json).token $token } }
This can then be used like this:
$pullToken = GetDockerToken -feed $toFeed -packageName $packageName -actionToAuthorize "pull" -apiKey $apiKey -progetBaseUrl $progetBaseUrl $manifest = Invoke-WebRequest -Uri "$progetBaseUrl/v2/$fromFeed/$packageName/manifests/$fromVersion" -Method GET -Headers @{Authorization=("Bearer {0}" -f $pullToken)}
Since this using the API Key for calls like this is no longer supported in ProGet 6, you may want update your documentation here: https://docs.inedo.com/docs/proget-docker-semantic-versioning
This page has a script I wrote a while back to repackage a container image that uses API Keys on the ProGet Docker API. I posted an update to the script using Docker Tokens on the original thread that caused its creation: https://forums.inedo.com/topic/3255/api-to-apply-an-alternate-tag-to-docker-container-image/4
If you like, you can update the documentation with the updated script that is compatible with the removal of API Keys functionality on the ProGet 6 Docker API.
-
@Stephen-Schaff thanks so much Stephen, that's great! It's not so hard for us to add this api key back, but your code works just the same mostly i think! let us know...
Anyway I've updated the documentation :)