Reputation: 42013
Don't have permission to push to GCR - but am owner of the project
Pushing to eu.gcr.io/my-project-name/my-image:tag, I get:
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I have gcloud installed, and when I use gcloud auth list, I see the selected account is the owner of the project.
I've run gcloud auth configure-docker and my Docker config file contains gcloud as credential helpers, accordingly. I've confirmed that docker is using the same config, because if I temporarily empty out the config, docker push gives a different error.
I also used:
docker login -u oauth2accesstoken -p 'token_here' https://eu.gcr.io after getting an access token via gcloud auth print-access-token.
This is a new laptop, and the user was fine to push to the registry previously... I'm quite lost.
Versions:
Google Cloud SDK 310.0.0
bq 2.0.60
core 2020.09.11
gsutil 4.53
Client: Docker Engine - Community
Azure integration 0.1.15
Version: 19.03.12
API version: 1.40
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:43:18 2020
OS/Arch: windows/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:49:27 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Upvotes: 0
Views: 5491
Answers (4)
Reputation: 2287
If somebody else stumbles upon this but has made sure that it really is not an issue with your permissions or Docker Desktop, you might run into the same trap as me. It can happen when you use sudo to run docker.
The solution is somewhat hidden in the docs (at the end of the linked section):
Note: If you normally run Docker commands on Linux with sudo, Docker looks for Artifact Registry credentials in /root/.docker/config.json instead of $HOME/.docker/config.json. If you want to use sudo with docker commands instead of using the Docker security group, configure credentials with sudo gcloud auth configure-docker instead.
Upvotes: 5
Reputation: 86
I had the same problem - which happened after the latest Docker Desktop update earlier this week. I disabled "Enable Cloud Experience" in the "Command Line" options in the Desktop Settings window. It then worked ...
Upvotes: 7
Reputation: 2468
You must be authenticated to the Container Registry before tagging an image to successfully push the image to the registry.
If you want to push images to a registry you need two things: API Access Scopes and Authenticate your VM with the registry.
According to the official documentation
For Compute Engine:
- By default, a Compute Engine VM has the
read-onlyaccess scope configured for storage buckets. To push private Docker images, the VM instance must have theread-writestorage access scope.
For Google Kubernetes Engine:
- By default, a Compute Engine VM has the read-only access scope configured for storage buckets. To push private Docker images, the VM instance must have the read-write storage access scope.
To set the read-write storage scope when creating a Google Kubernetes Engine cluster, use the --scopes option.
For more information about scopes you can set when creating a new cluster, refer to the documentation for the command gcloud container clusters create.
The first step is to verify if your GKE cluster or GCE instance actually has the proper scopes set.
Then it is necessary to authenticate to the registry:
- If you are using a Linux based image, configure Docker with the following command:
gcloud auth configure-docker
You can check this link for more details.
But if you are using Container-Optimized OS (COS), the command is:
docker-credential-gcr configure-docker
Please take a look at this other link
Additionally, I have found this question on Stackoverflow where it appears to be a bug in the Linux version of Cloud SDK and the authentication fails using the standard authentication method gcloud auth configure-docker. And they use the JSON key file method as a workaround.
Upvotes: 2
Reputation: 71
I'm out on a limb here (not being overly familiar with GCR) but Project Owner may not necessarily contain the required permissions in order to update objects in the underlying storage bucket (eg. storage.objects.create etc). It's possible this could have been removed. You may want to check you have the 'Storage Admin' role on the project/bucket (or Storage Legacy Bucket Owner).
Upvotes: 0
Related Questions
- Unable to push Docker image into GCP container registry [permission error]
- Error on pushing docker image to GCR - Pushing to root-level images is disabled
- Failed to authorize when pushing docker image to GCR
- Google Container Registry access denied when pushing docker container
- Access denied pushing images to gcr repository
- gcp docker push - permission denied
- pull access denied for gcr.io
- Unable to Push to Google Container Registry (access denied)
- gcloud docker push results in "denied: Token exchange failed for project 'gcp-project-id-example'."
- Unable to push images in GCR - "Caller does not have permission 'storage.buckets.create'."