GCP Cloud Build not authorized to read from artifact registry

I have an issue consuming a go lib from Artifact Registry inside a Cloud Run Function (v2).

I have a private GH repo (github.com/my-account/go-lib) with a go lib where the module matches the GH path. I published the library on GCP Artifact Registry (verified all files are correct and correctly tagged).

I deploy a cloud run function consuming the go library via terraform where I pass the following build_config envs:

resource "google_cloudfunctions2_function" "write_user" { ... environment_variables = { GOPROXY = "https://proxy.golang.org,direct" GOPRIVATE = "${var.region}-go.pkg.dev/${var.project_id}*" GOAUTH = "google" GONOSUMDB = "${var.region}-go.pkg.dev/${var.project_id}*" } }

The SA that builds the cloud function has the Cloud Run Builder and Artifact Registry Reader permissions. Depending on the order and paths in GOPROXY I get either of two errors leading to unsuccessful deployment:

If the artifact registry is bypassed and the cloud builder tries to access via direct and fails (same error for each dependency) to find my private repo:

│ cloud.google.com/go/firestore imports │ cloud.google.com/go/firestore/apiv1 imports │ google.golang.org/api/transport/grpc imports │ google.golang.org/grpc/balancer/grpclb tested by │ google.golang.org/grpc/balancer/grpclb.test imports │ google.golang.org/grpc/internal/testutils/roundrobin imports │ gonum.org/v1/gonum/stat/distuv: github.com/my-account/[email protected]: reading github.com/my-account/go-lib/go.mod at revision v0.0.20: git ls-remote -q origin in /layers/google.go.functions-framework/gopath/pkg/mod/cache/vcs/e9dea6b44c7df840a1e66d7502b76f94e6912fa13c7b7e2a4118f2996af2e9f7: exit status 128: │ fatal: could not read Username for 'https://github.com': terminal prompts disabled │ Confirm the import path was entered correctly. │ If this is a private repository, see https://golang.org/doc/faq#git_https for additional information.

Or if it searches via artifact registry:

go: consumer.repo/consuming-function tested by consumer.repo/consuming-function.test imports github.com/stretchr/testify/assert imports github.com/stretchr/testify/assert/yaml imports gopkg.in/yaml.v3 tested by gopkg.in/yaml.v3.test imports gopkg.in/check.v1: github.com/my-account/[email protected]: reading https://europe-west1-go.pkg.dev/my-project/go-lib/github.com/%!!(MISSING)m(MISSING)%!!(MISSING)y(MISSING)-account/go-lib/@v/v0.0.20.mod: 401 Unauthorized server response: The request does not have valid authentication credentials. If you are running github.com/GoogleCloudPlatform/artifact-registry-go-tools, make sure to add it to the GONOPROXY environment variable. Refer to https://go.dev/ref/mod#private-module-privacy for more information

My questions:
- Does Artifact Registry support repos with a module from e.G. GH?
- How does Terraform (via Cloud Run Builder) authenticate against Artifact Registry?
- What is the best configuration of go envs in this case?
- Does go interfere when I name the module in my GH repo after the artifact registry? This lead to 404 errors on go get.

My workaround right now is to use go mod vendor before I deploy but this should not be necessary.