Google Cloud Container Registry/Artifact Registry Permissions

Question

I'm trying to push containers to the Google Cloud Container Registry or the Google Cloud Artifact Registry on Windows 10 using the Google Cloud SDK. I'm getting a similar permissions error from both services however I can't seem to figure out why. For the Container Registry, on push I get:

> docker push us.gcr.io/{PROJECT}/{PATH}/{CONTAINER}:{TAG}
unauthorized: You don't have the needed permissions to perform this operation, 
and you may have invalid credentials. To authenticate your request, follow the 
steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

For the Artifact Registry, on push I get:

> docker push northamerica-northeast1-docker.pkg.dev/{PROJECT}/{REPOSITORY}/{CONTAINER}:{TAG}
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource 
"projects/opallabs/locations/northamerica-northeast1/repositories/domar" (or it may not exist)

I've run gcloud init and gcloud auth configure-docker a few times. I can create and edit Google Cloud resources from the command line using gcloud without any trouble. I'm the owner of the Google Cloud project but I've assigned myself Storage Admin, Artifact Registry Administrator, Artifact Registry Repository Administrator just to be safe. However, when I run gcloud auth print-access-token and analyze the token with the https://www.googleapis.com/oauth2/v1/tokeninfo endpoint, the only scopes that appear are:

{
  ...
  "scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud- 
  platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute 
  https://www.googleapis.com/auth/accounts.reauth",
  ...
}

Missing are the https://www.googleapis.com/auth/devstorage.read_write or the https://www.googleapis.com/auth/devstorage.full_control scopes which should probably be there according to the troubleshooting link, but I'm not sure why they would be missing. I had this working on my last Windows 10 machine by following the setup instructions, but the same setup on my new machine doesn't seem to be working.

My docker credential helper entries:

{
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud",
    "northamerica-northeast1-docker.pkg.dev": "gcloud",
    "us-central1-docker.pkg.dev": "gcloud"
  }
}

> docker-credential-gcloud list
{
  "https://asia.gcr.io": "_dcgcloud_token",
  "https://eu.gcr.io": "_dcgcloud_token",
  "https://gcr.io": "_dcgcloud_token",
  "https://marketplace.gcr.io": "_dcgcloud_token",
  "https://staging-k8s.gcr.io": "_dcgcloud_token",
  "https://us.gcr.io": "_dcgcloud_token"
}

gcloud -v
Google Cloud SDK 311.0.0
beta 2020.09.18
bq 2.0.60
core 2020.09.18
gsutil 4.53

docker -v
Docker version 19.03.13, build 4484c46d9d

Answer 1

Thanks to the link provided by Muss Rahman I've been able to authenticate by going to "Settings" -> "Command Line" in Docker Desktop and unchecking the "Enable cloud experience" switch. The setting seems to be absent from the docker manual so I'm not sure how it impacts the authentication, all I know is that for Docker version 19.03.13, build 4484c46d9d on Windows, if you want to authenticate using gcloud it needs to be disabled.

Answer 2

Try to configure with:

gcloud auth configure-docker northamerica-northeast1-docker.pkg.dev

Answer 3

I got this issue when I misspelled my project name. Double check your paths match the instructions at https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling#auth

Answer 4

You will have to provide project-specific or repo-specific permissions. After a lot of research, I got to know.

https://cloud.google.com/artifact-registry/docs/access-control#grant-repo

You can give your IAM email and give artifact registry writer.

Note: even if you give owner permissions to the IAM to the whole project it won't work as the Artifact registry itself has its own permission system. This took a while to identify

Answer 5

in case anyone else runs into this. the issue for me was that you must use the PROJECT-ID this is not the same as the project name

for example if your project is called example you may have had:

• tag: docker tag image:tag northamerica-northeast1-docker.pkg.dev/example/repo-name/image:tag
• push: docker push northamerica-northeast1-docker.pkg.dev/example/repo-name/image:tag

this seems silly but very well may be your issue. if it is then

1. list projects to get the PROJECT-ID: gcloud projects list (note: it is the first column value, not the "project number" in the last column)
2. tag: docker tag image:tag northamerica-northeast1-docker.pkg.dev/<PROJECT-ID>/repo-name/image:tag
3. push: docker push northamerica-northeast1-docker.pkg.dev/<PROJECT-ID>/repo-name/image:tag

Answer 6

I had this issue on CircleCi with docker push to google cloud artifact registry and getting this error.

denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource

After hours of struggling, I found the solution, the issue is the new docker's BuildKit feature that google cloud artifact registry does not support this new architecture for images at the moment and needs to be turned off.

DOCKER_BUILDKIT=0 docker push <IMAGE-NAME>