Google Cloud Build failed to retrieve Github repositories - google-cloud-platform

I am trying to set up a cloud build trigger from a public github repository with the Cloud Build GitHub App. I installed the app on my repository and authorized it but when I was redirected to GCP to connect the repository to a project this error message came up:
Failed to retrieve GitHub repositories.
The caller does not have permission
error
I suspect it may have something to do with having two factor authentication enabled on my github account, which I need for an organization.
I was able to mirror the same github repository from cloud source repositories without any issues though. I am the owner of the repository and gcp project.
*edit
Looks like the issue is due to having 2 factor authentication enabled on my github account. I disabled it and cloud build was able to connect with my repository. However I will need to have 2 factor enabled as my github organization requires it.
*edit
I hadn't mentioned the github organization i was part of had an ip whitelist configured on top of requiring 2 factor auth. I left the organization and reenabled 2 factor auth and cloud build was able to connect to my repo. Not sure why I would get the original issue if the repo is not in the github organization.

After looking more into this problem you either need to add GCE IP address ranges to the github organization IP whitelist https://cloud.google.com/compute/docs/faq#find_ip_range or just disable the whitelist if able to.

Related

Unable to connect from Google Cloud to Bitbucket repository using app password

I'm using GCP build triggers connected to Bitbucket repositories. The connection is made using user credentials. Bitbucket has announced they're ending support for account password usage:
Beginning March 1, 2022, Bitbucket users will no longer be able to use
their Atlassian account password when using Basic authentication with
the Bitbucket API or Git over HTTPS. For security reasons, we require
all users to use Bitbucket app passwords.
Problem is, when trying to connect to a repository in GCP, the only option to supply Bitbucket credentials is via a web login (which to the point of app passwords, you cannot login via the bitbucket.org with an app password).
GCP Bitbucket login prompt via bitbucket.org
Expected behavior: GCP provides an option to submit app password credentials when connecting to a Bitbucket repository.
I followed directions for GCP Cloud Build integration with Bitbucket Cloud and successfully built out a functioning trigger for my repository here. I only built the trigger in GCP and used the generated webhook URL when creating the webhook in Bitbucket: I didn't create SSH keys, nor is my cloudbuild.yaml entirely valid - so the builds are failing.
Access to the Bitbucket repository was provided through GCP GUI in Cloud Build.
I have been informed of this change as well. I am trying to understand the scope of the change and its impact. It states that you cannot log in Atlassian account and password. However, besides using app passwords, you can also log in using OAuth2. https://developer.atlassian.com/cloud/bitbucket/oauth-2/
In the case of GCP Build Triggers, when I first set up the Bitbucket repository to connect to, I need to go through the "Authorization Code Grant" flow and acknowledge what access I am granting to Google Cloud Source Repository. If you check the Bitbucket API endpoints being called, they are URLs that are being used for "Authorization Code Grant" flow.
Based on these findings, am I right to say that there is no necessity to change existing triggers or mirrored repositories on GCP since they are using OAuth2 in the first place instead of Atlassian accounts and passwords?
If you can setup the build trigger to be done by a webhook you can configure the build with ssh key. But if you have to configure it as a manual trigger then using the bitbucket login credentials is the only option. Personally, I don't like this config with user login though.
The only good thing is even now(after bitbucket stopped supporting the login credentials for code checkout) the code checkout in GCP is working fine.

Problem mirroring Bitbucket repo to GCP Cloud Source Repo

I'm attempting to setup CICD for a GCP Cloud Function and App-Engine deployment. The repo is in Bitbucket and I am following the instructions found here to create a mirror between my Bitbucket repo and a GCP Cloud Source repo.
Using the GCP Cloud Source "Connect external repository" UI I am able to select my GCP project, select Bitbucket as the Git provider, connect to Bitbucket using my credentials (I am admin on the Bitbucket repo), and select the desired Bitbucket repo. Then when I click the "Connect selected repository" I get about a 30s delay and finally a simple "Failed to connect repositories" error message with no further explanation as to why. GCP logging shows nothing.
Any ideas would be appreciated.
Thanks
Ensure that you have enabled the source repos API. Retrospectively I guess this is obvious, because the Bitbucket webhooks need to call out to Google's API to announce when changes occur on the repo.
The GCP API is called Cloud Source Repositories API, and the service name is sourcerepo.googleapis.com
https://console.cloud.google.com/apis/api/sourcerepo.googleapis.com

AWS codebuild - does disconnecting from Github in single build project remove from all projects

I have multiple Codebuild projects in an AWS account (which were created by others), with private Github repos as the source, connected via oauth.
I'm creating a new Codebuild project, also looking at a private github repo, however Codebuild fails to create since it "can't access the github repo".
I imagine that whoever in the account originally connected to Github, they don't have access to my the repo I'm trying to connect to.
I'd like to click the "disconnect from Github" and re-authorize, since I have access to the repo I'm trying to connect to, but I'm concerned that will disconnect all Codebuild projects.
I know that my Github credentials don't permit access to all repos that Codebuild projects are currently reading from.
When a connection to Github is made via oauth, does that set it for the entire account?
When a connection to Github is made via oauth, does that set it for the entire account?
Yes it will reset the token for all your CodeBuild projects in that AWS account Id. CodeBuild only supports one token (OAuth or personal access token) per AWS account Id.
We are aware of the limitation this causes on end users and will make this experience better in a future release.

Problems connecting to BitBucket with Cloud Build and Source Repositories

I'm GCP project owner and trying to connect a BitBucket repo as mirror in Cloud Source Repos. Also have a Cloud Build trigger based on a BitBucket repo.
In Cloud Source Repositories, after granting access to my account, while configuring a mirror, no repositories from BitBucket appear and the following is displayed:
The Bitbucket account [username] doesn't have access to any
Bitbucket repositories. You will need to grant this account permission
to repositories in Bitbucket before you can connect them.
In Cloud Build triggers, after the grant permissions dialog, Select repository lists no BitBucket repos and the Continue button is greyed out.
This error message will appear if your Bitbucket account only has Read or Write access to the repository you want to mirror. Check that you have Admin access on Bitbucket and try again. Also, make sure you're logged into the right Bitbucket account when attempting to make the connection.

AWS Code Deploy failure after converting to an Organization

I recently converted a private GitHub account to an Organization and that seems to have totally screwed up my authentication with AWS Code Deploy on every one of my repositories.
I checked the Webhooks & services for AWS Code Deploy and my keys are set properly.
I also re-authenticated with GitHub when creating a new deployment.
My AIM permissions have not changed and pass the GitHub Test
But, I receive the following message every time I try to deploy...
Could not download bundle at 'https://api.github.com/repos/artofdev/django/tarball/1ec682b03d3f160d401d0aaf565a66d99f28734e' after 3 retries. Server returned codes: 404 'Not Found'; 404 'Not Found'; 404 'Not Found'; 404 'Not Found'.
[EDIT]: I setup a test repo and code deploy application on a personal github account and was able to deploy successfully. Does AWS Code Deploy work with Organization repos?
There is one more step authorization you need to do if you want to deploy from a private repo controlled by organization.
CodeDeploy just updated with a doc section here: http://docs.aws.amazon.com/codedeploy/latest/userguide/github-integ.html#github-integ-behaviors-org-repositories
Have you retried authenticating CodeDeploy with your new GitHub organization? It is likely that by changing your configuration on GitHub's side your previous authentications were invalidated.
To re-authenticate, you need to create a new deployment from the web console.
You won't need to fully finish creating the deployment, but before you get to the final step, you should see a "Reconnect to GitHub" link.
See GitHub Authentication with Applications in AWS CodeDeploy
I faced an exactly same issue. Resolution worked for me was:
Delete the application
Create new application and deployment
Re-authenticate with GitHub
Authorize codedeploy to access GitHub
Deploy
Here without deleting an application, it was not providing a way to re-authorize codedeploy to GitHub and that's the root cause of this issue.
for working your CI integration correctly, Go to -- You profile -->setting --> Application --> Authorize OAuth app should list codedeploy.