Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Unable to Push to Google Container Registry (access denied)

When I tried to push a container image to the Container Registry, it gave me the following error,

denied: Token exchange failed for project 'my-proj-123'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I had to follow the Bucket Name Verification process to be able to create the artifacts.my-proj-123.appspot.com bucket. Now when I try to push the docker image, it does not complain on storage.buckets.create permission but only gives:

denied: Access denied.

I don't know which user I need to give access to. I gave Storage Admin access to the Compute Engine default service account to no avail. How can I fix it?

like image 401
orad Avatar asked Nov 06 '22 22:11

orad


1 Answers

I was able to push a Docker image to Container Registry from a Container Optimized OS.

If you are having permission problems, I recommend you to give the Compute Engine default service account at least project editor permissions, just for testing purposes. Even if you just target Cloud Storage, other parts of the processes may need more permissions. Once you finish testing, you can create a new service account with less permissions and fine tune it for your needs.

Also, there is an alternative to gcloud for authentication. You can try by following this:

  1. First try to download docker-credential-gcr with:

    VERSION=1.5.0
    OS=linux  # or "darwin" for OSX, "windows" for Windows.
    ARCH=amd64  # or "386" for 32-bit OSs
    
    curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz" \
      | tar xz --to-stdout ./docker-credential-gcr \
      > /usr/bin/docker-credential-gcr && chmod +x /usr/bin/docker-credential-gcr
    
  2. After that execute docker-credential-gcr configure-docker

  3. Download the Compute Engine default service account json key.

  4. Execute cat [your_service_account_credentials.json] | docker login -u _json_key --password-stdin https://[HOSTNAME]

like image 130
Nahuel Varela Avatar answered Nov 15 '22 10:11

Nahuel Varela