Failing to Push docker image from Jenkins on GCE instance to google container registry

Question

I am trying to push docker image from jenkins configured on compute engine with default service account. But it is failing with this error:

[Docker] ERROR: failed to push image gcr.io/project-id/sms-impl:work ERROR: Build step failed with exception com.github.dockerjava.api.exception.DockerClientException: Could not push image: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

What do I need to do?

Answer 1

To authenticate to Container Registry, use gcloud as a Docker credential helper. To do so, run the following command:

gcloud auth configure-docker

You need to run this command once to authenticate to Container Registry. We strongly recommend that you use this method when possible. It provides secure, short-lived access to your project resources. Please follow steps as link 1.

Answer 2

At the bottom of the page that was linked, you will see a further link to Using GCR with GCP, in particular, this section describes what you need to do.

To summarize, the service account needs the permissions to write to the storage bucket for GCR. Since you mentioned you were using the default service account, it further will need the access scopes set for that instance. The default only grants 'read' unless you have specified all scopes.

A few ways to do this:

• When you create the instance using gcloud, specify --scopes https://www.googleapis.com/auth/devstorage.read_write
• In the console, select the scope specifically or select "all scopes", e.g.:

(... many lines of scopes omitted ...)

You can also add the scopes after the fact, if needed, by editing the instance while it is stopped.

Note that the first push for a project may additionally require "admin" rights, in order to create the bucket.