Menu
I'm trying to fetch a list of available images and their tags from Google Container Registry (gcr.io) in Node.js.
I first use google-auto-auth to optain a token with scope https://www.googleapis.com/auth/devstorage.read_write,
and I exchange that token for a gcr.io token like so:
axios.get('https://gcr.io/v2/token?service=gcr.io', {
auth: {
username: '_token',
password: token // token I got from `google-auto-auth`
}
})
I then try to use this to call the v2/_catalog endpoint:
axios.get('https://gcr.io/v2/_catalog', {
headers: {
Authorization: `Bearer ${gcrToken}`
}
})
And I get the following error:
{
errors: [ { code: 'DENIED', message: 'Failed to retrieve projects.' } ]
}
Fair enough, it must require my project ID, but where am I supposed to provide it?
Just to see if I could get anything else working, I tried:
axios.get('https://gcr.io/v2/my-project-id/my-image/tags/list', {
headers: {
Authorization: `Bearer ${gcrToken}`
}
})
And I get the following back:
{
errors: [
{
code: 'NAME_INVALID',
message: 'Requested repository does not match bearer token resource: my-project-id/my-image'
}
]
}
How can I read image info from gcr.io?
760
The link to the list of Google Container Registry public images is: https://console.cloud.google.com/gcr/images/google-containers/GLOBAL. As it was clearly stated in the answer, there was no such thing when the question was asked. Google didn't had direct support for container registry in the console as they have now.
The 'docker pull' is a Docker command to download a Docker image or a repository locally on the host from a public or private registry. When we run any container and the specified Docker image is not present locally then it first pulls it from the registry.
Go to the Repositories view and click on a repository to see its tags. Image sizes are the cumulative space taken up by the image and all its parent images. This is also the disk space used by the contents of the . tar file created when you docker save an image.
The Docker Registry HTTP API is the protocol to facilitate distribution of images to the docker engine. It interacts with instances of the docker registry, which is a service to manage information about docker images and enable their distribution.
After extensive communication with Jon Johnson from GCR, we finally figured out what was wrong. If you upvote this answer, please upvote Jon's as well, he went above and beyond to get this issue resolved.
Most of this stuff is undocumented as of this writing.
registry:catalog:* scope.us.gcr.io, and they treat them as separate registries — I thought they were mirrors.Project Viewer role in Google Cloud IAM.Basic base64(_token:<token>), the Google Cloud token can.Getting the GCR token
// Updated host
axios.get('https://us.gcr.io/v2/token?service=gcr.io', {
params: {
service: 'us.gcr.io',
scope: `registry:catalog:*`
},
auth: {
username: '_token',
password: token // token I got from `google-auto-auth`
},
})
Using the token to list repositories
const client = axios.create({
baseURL: `https://us.gcr.io/v2`,
headers: {
Authorization: `Bearer ${token}`
}
})
client.get('/_catalog').then((response) => {
console.log(response.data.repositories)
})
The first error is likely because you're missing one of the scopes for listing projects: https://cloud.google.com/resource-manager/reference/rest/v1/projects/list#authorization
You get the second error because you're missing the scope in your token exchange.
You want something like:
https://gcr.io/v2/token?service=gcr.io&scope=repository:<my-project-id/my-image>:*
See the example here: https://docs.docker.com/registry/spec/auth/token/#requesting-a-token
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
