Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unable to Push to Google Container Registry (access denied)

Tags:

google-cloud-platform

google-container-registry

google-cloud-storage

When I tried to push a container image to the Container Registry, it gave me the following error,

denied: Token exchange failed for project 'my-proj-123'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I had to follow the Bucket Name Verification process to be able to create the artifacts.my-proj-123.appspot.com bucket. Now when I try to push the docker image, it does not complain on storage.buckets.create permission but only gives:

denied: Access denied.

I don't know which user I need to give access to. I gave Storage Admin access to the Compute Engine default service account to no avail. How can I fix it?

like image 401
orad Avatar asked Nov 06 '22 22:11

orad

1 Answers

I was able to push a Docker image to Container Registry from a Container Optimized OS.

If you are having permission problems, I recommend you to give the Compute Engine default service account at least project editor permissions, just for testing purposes. Even if you just target Cloud Storage, other parts of the processes may need more permissions. Once you finish testing, you can create a new service account with less permissions and fine tune it for your needs.

Also, there is an alternative to gcloud for authentication. You can try by following this:

  1. First try to download docker-credential-gcr with:

    VERSION=1.5.0
OS=linux  # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64  # or "386" for 32-bit OSs

curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz" \
  | tar xz --to-stdout ./docker-credential-gcr \
  > /usr/bin/docker-credential-gcr && chmod +x /usr/bin/docker-credential-gcr

  2. After that execute docker-credential-gcr configure-docker

  3. Download the Compute Engine default service account json key.

  4. Execute cat [your_service_account_credentials.json] | docker login -u _json_key --password-stdin https://[HOSTNAME]

like image 130
Nahuel Varela Avatar answered Nov 15 '22 10:11

Nahuel Varela
Sign in to Comment

Related questions

Add SSL certificate from Godaddy to Google App Engine
Google Cloud PubSub: Previously valid subscription suddenly unauthorized
Preventing Abuse: Cloud Functions for Firebase
Mount persistent disk to /home in Google Cloud Platform
Bigtable performance influence column families
Google BigQuery - Bug using WITH and RAND()
Google Speech API + Go - Transcribing Audio Stream of Unknown Length
BigQueryIO - Can't use DynamicDestination with CREATE_IF_NEEDED for unbounded PCollection and FILE_LOADS
BigQueryIO - Write performance with streaming and FILE_LOADS
Google PubSub and auto-scaling Compute Engine instances (Python)
Dialogflow list does not work on Google Assistant the first time
Google Cloud SQL proxy with Docker throws connection refused
How can I create an image from a container running in Kubernetes?
Deadlock in Google Storage API
How to use the gRPC Python Plugin with Docker and Google Cloud Builds?
Running unit tests in Google Cloud Build?
Is it possible to install github repository on Google Cloud Composer
Google Cloud Build not caching custom build steps?
Turn off Google Compute instance after container exits [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!