Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

docker push to Google Container Registry errors "Caller does not have permission 'storage.buckets.create'"

I'm having a permission issues when pushing my image to Container Registry. The error I'm getting is

denied: Token exchange failed for project '<my project>'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I followed the instructions step by step, here's what I've done:

  1. gcloud auth configure-docker

My docker config.json now contains:

{
  "auths": {},
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud"
  },
  "credsStore": "wincred",
  "HttpHeaders": {
    "User-Agent": "Docker-Client/18.09.0 (windows)"
  },
  "stackOrchestrator": "swarm"
}
  1. Tagged my image docker tag my/image eu.gcr.io/<my project>/my-image:latest

  2. Run docker push eu.gcr.io/<my project>/my-image:latest (error follows)

Here's my setup

  • Windows 10 (10.0.17134 Build 17134)
  • Docker version 18.09.0, build 4d60db4
  • Google Cloud SDK 232.0.0, bq 2.0.40, core 2019.01.27, gsutil 4.35

I have checked that my active account is correct (gcloud auth login points to the correct login email) and the account has Owner permissions. I have also tried by specifically adding Storage Admin permissions to the account, but to no avail.

Please help me push my image!

like image 497
David Avatar asked Feb 02 '19 19:02

David


People also ask

How do I push Docker images to GCR?

Tag image with registry name Before pushing the Docker image to GCR, you need to tag it with its registry name. This configures the docker push command to push the image to a specific location.

Is Google Container Registry a Docker registry?

Google Container Registry is a private Docker registry running on Google Cloud Storage. It uses the same authentication, storage, and billing as google/docker-registry, without the need to run your own registry.


2 Answers

A potential cause is that the active gcloud PROJECT_ID does not match the registry you are pushing to.

gcloud config set project <PROJECT_ID>
gcloud builds submit --tag gcr.io/<PROJECT_ID>/foo

Ensure the PROJECT_ID matches or provide access in IAM if the projects are in fact different.

like image 130
JeffD23 Avatar answered Oct 15 '22 12:10

JeffD23


Try passing the project flag, --project=<<PROJECT-ID>>, to your command. If you are managing multiple projects gcloud might cache the wrong permissions.

like image 24
redryk Avatar answered Oct 15 '22 12:10

redryk