Using Docker locally to perform a build using my project's .dockerfile
, I'm having trouble getting access to our private ADO Artifacts with a 401 Unauthorized.
I've generated a PAT for my ADO account with "Packaging (Read)" across all accessible organizations and it has not expired.
This works in the ADO Build Pipeline using the "npmAuthenticate" task and pointing it to the project's .npmrc
, but locally, Docker fails to authenticate.
FROM node:12 AS clientBuilder
ARG NPM_TOKEN
ADD . /client
WORKDIR /client
RUN wget -qO- https://aka.ms/install-artifacts-credprovider.sh | bash
ENV NUGET_CREDENTIALPROVIDER_SESSIONTOKENCACHE_ENABLED true
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS '{"endpointCredentials": [{"endpoint":"https://<ADO FEED>/nuget/v3/index.json", "username":"docker", "password":"'${NPM_TOKEN}'"}]}'
# the following line fails to authenticate
RUN npm ci
registry=<PROVIDED BY ADO ARTIFACTS>
always-auth=true
docker build . --build-arg NPM_TOKEN=<PAT>
The above results in the following:
Step 9/18 : RUN echo ${VSS_NUGET_EXTERNAL_FEED_ENDPOINTS}
---> Running in 6407b058be7d
{"endpointCredentials": [{"endpoint":"https://*****/nuget/v3/index.json", "username":"docker", "password":"*****"}]}
Step 11/18 : RUN npm ci
---> Running in 33a180c7b4c1
npm ERR! code E401
npm ERR! Unable to authenticate, need: Bearer authorization_uri=https://****, Basic realm="https://pkgsprodeus21.pkgs.visualstudio.com/", TFS-Federated
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2020-12-07T19_21_50_935Z-debug.log
The command '/bin/sh -c npm ci' returned a non-zero code: 1
What I've noticed is that if I configure the project's .npmrc
with the same credentials as provided in my user .npmrc
, it works fine. Obviously I don't want the project's .npmrc
to have any authentication information.
Please let me know if you need more information than what I've provided above.
This is the base "devtools" image I've used in the past for authenticating to private Azure DevOps NuGet and NPM feeds. The PAT needs to be Base64 encoded for NPM, but not for NuGet. It's a little weird. I can't guarantee there's not a better way to do this.
ARG SDKVersion=3.1
FROM mcr.microsoft.com/dotnet/core/sdk:${SDKVersion} AS build-env
# Contains NPM/NodeJS for webpack and all appropriate PATs/configuration for pulling NPM and NuGet packages from private feeds
ARG NugetPAT
ARG B64PAT
ARG SDKVersion=3.1
ENV Configuration Release
ENV VSS_NUGET_EXTERNAL_FEED_ENDPOINTS \
"{\"endpointCredentials\": [{\"endpoint\":\"https://pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/nuget/v3/index.json\", \"username\":\"docker\", \"password\":\"${NugetPAT}\"}]}"
RUN curl -L https://raw.githubusercontent.com/Microsoft/artifacts-credprovider/master/helpers/installcredprovider.sh | bash
RUN apt-get update -yq \
&& apt-get install curl gnupg -yq \
&& curl -sL https://deb.nodesource.com/setup_12.x | bash \
&& apt-get install nodejs -yq
WORKDIR /app
RUN echo '<?xml version="1.0" encoding="UTF-8"?><configuration><packageSources><add key="public" value="https://api.nuget.org/v3/index.json" /><add key="projectname-common" value="https://pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/nuget/v3/index.json" /></packageSources></configuration>' > NuGet.config
RUN echo \; begin auth token > /root/.npmrc && \
echo //pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/npm/registry/:username=orgname >> /root/.npmrc && \
echo //pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/npm/registry/:_password=${B64PAT} >> /root/.npmrc && \
echo //pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/npm/registry/:email=npm requires email to be set but doesn''t use the value >> /root/.npmrc && \
echo //pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/npm/:username=orgname >> /root/.npmrc && \
echo //pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/npm/:_password=${B64PAT} >> /root/.npmrc && \
echo //pkgs.dev.azure.com/orgname/projectname/_packaging/projectname-common/npm/:email=npm requires email to be set but doesn''t use the value >> /root/.npmrc && \
echo \; end auth token >> /root/.npmrc
Thanks Daniel, this helped solve the problem. I added a line to the dockerfile to convert the NPM_TOKEN argument to base64:
RUN echo -n ${NPM_TOKEN} | base64 > ~/.token64
I then referred to that encoded token in the root.npmrc
as you outlined, and I can now access my private ADO feed. Thank you!@gt-downunder Glad to help! It took me hours to get it working the first time. Major pain.