docker push to Google Container Registry errors "Caller does not have permission 'storage.buckets.create'"

Question

I'm having a permission issues when pushing my image to Container Registry. The error I'm getting is

denied: Token exchange failed for project '<my project>'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I followed the instructions step by step, here's what I've done:

1. gcloud auth configure-docker

My docker config.json now contains:

{
  "auths": {},
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud"
  },
  "credsStore": "wincred",
  "HttpHeaders": {
    "User-Agent": "Docker-Client/18.09.0 (windows)"
  },
  "stackOrchestrator": "swarm"
}

2. Tagged my image docker tag my/image eu.gcr.io/<my project>/my-image:latest

3. Run docker push eu.gcr.io/<my project>/my-image:latest (error follows)

Here's my setup

• Windows 10 (10.0.17134 Build 17134)
• Docker version 18.09.0, build 4d60db4
• Google Cloud SDK 232.0.0, bq 2.0.40, core 2019.01.27, gsutil 4.35

I have checked that my active account is correct (gcloud auth login points to the correct login email) and the account has Owner permissions. I have also tried by specifically adding Storage Admin permissions to the account, but to no avail.

Please help me push my image!

Answer 1

A potential cause is that the active gcloud PROJECT_ID does not match the registry you are pushing to.

gcloud config set project <PROJECT_ID>
gcloud builds submit --tag gcr.io/<PROJECT_ID>/foo

Ensure the PROJECT_ID matches or provide access in IAM if the projects are in fact different.

Answer 2

Try passing the project flag, --project=<<PROJECT-ID>>, to your command. If you are managing multiple projects gcloud might cache the wrong permissions.