Score:1

Unable to push docker image into GCP container registry [permission error]

cn flag

I am trying to push a docker image into my container registry on google cloud platform. I am able to build my image successfully on my local machine. I tried the following command:

sudo docker push eu.gcr.io/$PROJECT_ID/$CONTAINER_NAME

I get a permission denied error:

unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I tried following the steps in the provided link, specifically the gcloud credential helper instructions. I also tried gcloud auth configure-docker and gcloud auth login, all to no avail. Regarding IAM permissions my personal email is listed as Owner and Storage Admin role. I also have manually set up a service account with Owner and Storage admin roles. My $GOOGLE_APPLICATION_CREDENTIALS environment variable points to a json file extracted from this manually created service account. gcloud auth configure-docker provides the following output:

WARNING: Your config file at [/home/awa5114/.docker/config.json] contains these credential helper entries:

{
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud"
  }
}
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using.
gcloud credential helpers already registered correctly.

At this point, I really don't understand why I am getting denied permission to push this image into the container registry. Any help would be most welcome. Thanks very much.

Score:1
ru flag

It is likely that your account doesn't have permission to store/write the docker image in GCR. The GCR in GCP is backed by a Google cloud storage bucket and your account needs a write permission on the bucket.

For eu.gcr.io, the equivalent bucket is gs://eu.artifacts.$PROJECT_ID.appspot.com. Try to grant your account, a roles/storage.objectAdmin role at the bucket level. Of course, you can do this at the project or org level as well.

You can find details - https://cloud.google.com/container-registry/docs/access-control#permissions

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.