Unable to Push to Google Container Registry (access denied)

5
votes

When I tried to push a container image to the Container Registry, it gave me the following error,

denied: Token exchange failed for project 'my-proj-123'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I had to follow the Bucket Name Verification process to be able to create the artifacts.my-proj-123.appspot.com bucket. Now when I try to push the docker image, it does not complain on storage.buckets.create permission but only gives:

denied: Access denied.

I don't know which user I need to give access to. I gave Storage Admin access to the Compute Engine default service account to no avail. How can I fix it?

2
google-cloud-platformgoogle-cloud-storagegoogle-container-registry

2 Answers

1
votes

I was able to push a Docker image to Container Registry from a Container Optimized OS.

If you are having permission problems, I recommend you to give the Compute Engine default service account at least project editor permissions, just for testing purposes. Even if you just target Cloud Storage, other parts of the processes may need more permissions. Once you finish testing, you can create a new service account with less permissions and fine tune it for your needs.

Also, there is an alternative to gcloud for authentication. You can try by following this:

  1. First try to download docker-credential-gcr with:

    VERSION=1.5.0
OS=linux  # or "darwin" for OSX, "windows" for Windows.
ARCH=amd64  # or "386" for 32-bit OSs

curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${VERSION}/docker-credential-gcr_${OS}_${ARCH}-${VERSION}.tar.gz" \
  | tar xz --to-stdout ./docker-credential-gcr \
  > /usr/bin/docker-credential-gcr && chmod +x /usr/bin/docker-credential-gcr

  2. After that execute docker-credential-gcr configure-docker

  3. Download the Compute Engine default service account json key.

  4. Execute cat [your_service_account_credentials.json] | docker login -u _json_key --password-stdin https://[HOSTNAME]

0
votes

I hit the similar issue while i was trying to upload the docker image to GCR from container optimized OS, i ran the following sequence of command,

  1. Created a service account and assigned Storage Admin privileges.
  2. Downloaded the JSON key
  3. Executed docker-credential-gcr configure-docker
  4. Logged in with docker command - docker login -u _json_key -p "$(cat ./mygcrserviceaccount.JSON)" https://gcr.io
  5. Tried pushing the image gcr - docker push gcr.io/project-id/imagename:tage01

It failed with following error, 

denied: Token exchange failed for project 'project-id'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I tried giving every possible permission to my service account through IAM role but it would fail with same error.

After reading this issue i did the following changes,

  1. Removed the docker config directory rm -rf ~/.docker
  2. Executed docker-credential-gcr configure-docker
  3. Stored the JSON key into variable named GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS=/path/to/mygcrserviceaccount.JSON

  4. Logged in with docker command - docker login -u _json_key -p "$(cat ${GOOGLE_APPLICATION_CREDENTIALS})" https://gcr.io

  5. Executed docker push command - docker push gcr.io/project-id/imagename:tage01

Voila, it worked like a charm!