I'm having a permission issues when pushing my image to Container Registry. The error I'm getting is
denied: Token exchange failed for project '<my project>'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
I followed the instructions step by step, here's what I've done:
gcloud auth configure-docker
My docker config.json now contains:
{
"auths": {},
"credHelpers": {
"gcr.io": "gcloud",
"us.gcr.io": "gcloud",
"eu.gcr.io": "gcloud",
"asia.gcr.io": "gcloud",
"staging-k8s.gcr.io": "gcloud",
"marketplace.gcr.io": "gcloud"
},
"credsStore": "wincred",
"HttpHeaders": {
"User-Agent": "Docker-Client/18.09.0 (windows)"
},
"stackOrchestrator": "swarm"
}
Tagged my image
docker tag my/image eu.gcr.io/<my project>/my-image:latestRun
docker push eu.gcr.io/<my project>/my-image:latest(error follows)
Here's my setup
- Windows 10 (10.0.17134 Build 17134)
- Docker version 18.09.0, build 4d60db4
- Google Cloud SDK 232.0.0, bq 2.0.40, core 2019.01.27, gsutil 4.35
I have checked that my active account is correct (gcloud auth login points to the correct login email) and the account has Owner permissions. I have also tried by specifically adding Storage Admin permissions to the account, but to no avail.
Please help me push my image!
config.jsonis misconfigured. Using this account are you able to create GCS buckets? (gsutil mb -p <my project> gs://<some bucket name>). Are you able to push after an explicit docker login? (cloud.google.com/container-registry/docs/…) - DazWilkingsutils mbcommand, yes. But you just pointed me in an interesting direction. I manage two Google Cloud accounts. And although I am logged in using account 1 and can create buckets under that account, I just successfully pushed my image (after tagging it with the corresponding project name) to the Container Registry under the other account. I was assuming that switching account usinggcloud auth loginwill take care of everything but that doesn't seem to be the case. Can you (or someone else) help me understand how to correct this? - Davidgcloud auth list. This will indicate the currently selected account with an asterisk. To swtich between credentialed accounts usegcloud config set account <email-address>. - DazWilkingcloud auth listshows both accounts and the asterisk points to the correct one. I'm puzzled why I'm able to docker push to an account that is not selected. - David