I got stuck when pushing my docker image to Google Container Registry. There is always this error message:
failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized
I did run gcloud auth login with my company email (user account not service account)
I did run gcloud auth configure-docker
Tools version:
docker: 20.10.21
gcloud: 410.0.0
Everything is okay with my company's Mac Mini and my personal Linux Desktop but my Macbook. (the same account and steps to setup)
Does anyone know about this problem? Please give me an instruction. Thank you in advance.
Create a service account : That requires permission and roles to write to the Cloud Storage bucket containing the container registry. Granting the service account either the project editor role or write access to the bucket (via ACL) solves the issue. The latter should be preferable since the account doesn't receive wider permissions than it needs.
To push the images to GCR follow the below steps:
1.Add a registry
2.Check the permissions
3.Choose the authentication method
4.Tag
5.Tag the local image with the registry name
6.Push tagged image to gcr
Refer to the link Pushing and Pulling images for more information.
If you encounter any issues with Docker on Mac, try below steps:
Run the docker-machine restart default command in the Mac terminal to restart the Docker daemon.
Ensure that "Securely store docker logins in macOS keychain" is not enabled in Docker's Preferences menu.
Ensure that you're running the most recent Docker version.
Related
I'm trying to push an image to gitlab registry.
I've done it many times, so I wonder why I get this error.
I build the image with latest tag:
Successfully tagged registry.gitlab.com/mycompany/rgpd_api:latest
Then I login and I push:
docker login registry.gitlab.com -u gitlab+deploy-token-91931
docker push registry.gitlab.com/mycompany/rgpd_api:latest
But I get:
The push refers to repository [registry.gitlab.com/mycompany/rgpd_api]
be679cc302b9: Preparing
denied: requested access to the resource is denied
I gave gitlab+deploy-token-91931 token both read_repository and read_registry rights.
My repo is:
https://gitlab.com/mycompany/rgpd_api
I checked with docs page: https://docs.gitlab.com/ee/user/project/container_registry.html
But when I do it through Gitlab CI, with gitlab-ci-token
I can push it normally.
I also tried to regenerate a new token, but still same issue.
How can I fix it ?
I've stumbled upon this question as well and it turns out that
Group level Deploy tokens can be used to push images to group level container registry similarly to a PAT token with API access or other applicable scopes.
The image must to be tagged with the tag that matches an existing project within the group.
Any image tagged differently will be rejected with the denied: requested access to the resource is denied error message.
So, with the setup below:
GitLab group called mytest
Project within that group called hello-world
Docker image tagged as registry.gitlab.com/mytest/hello-world
Deploy token created for an entire group
Docker daemon authorized to push to that registry by cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com
You will get the following results:
Successful push for docker push registry.gitlab.com/mytest/hello-world because such project exists within the group
denied: requested access to the resource is denied if you try to push an image tagged with the name of the project that does not exist in the group like docker push registry.gitlab.com/mytest/no-project
So, again, image must be tagged to match an existing path within te group, like an existing project within the group or a subgroup.
My error was to use a deploy token to push a image to a registry.
A deploy token can be used to pull an image, but not push it.
So, instead, you can generate a Personal Access Token. You should add at least permissions:
read_registry, write_registry
Make sure you have proper configuration in settings.
Go to Settings of project, then "Visibility, project features, permissions" and check "Container registry : Every project can have its own space to store its Docker images" (for members only or for everyone, up to you). Otherwise, the push and pull will be denied.
This happened to me and that's how I solved it.
you can make docker logout your registry and login again.
It's recreate your token.
this work in my case.
I followed this azure example to develop my module connectedbarmodule in python for Azure IoT Edge. Then , I followed this link to deploy my module in my device (raspberry pi 3). However, my module can't be downloaded. Then, I executed the following command on my device :
sudo docker logs -f edgeAgent
I have the following error:
Error calling Create module ConnectedBarModule:
Get https://iotedgeregistery.azurecr.io/v2/connectedbarmodule/manifests/0.0.1-amd64:
unauthorized: authentication required)
This is an url regarding my Azure Container Registry where the image of my module is stored. I don't know how to get the credentials for iotedge to download my module.
I tested the case to pu the image not in the Azure Container Registry but in my dockerhub account and it works, my device can download the module.
If someone has an idea, this would be very kind.
Thank you in advance.
Your Azure Container Registry is private. Hence, you need to add the credentials for it in order for the edgeAgent to be download images from private registries:
Through the Azure Portal: In the first step of "Set Modules"
When done through deployments in Visual Studio Code:
"In the VS Code explorer, open the .env file. Update the fields with
the username and password values that you copied from your Azure
container registry." (https://learn.microsoft.com/en-us/azure/iot-edge/tutorial-c-module#add-your-registry-credentials)
For your issue, you can use the command docker login -u <ACR username> -p <ACR password> <ACR login server> which shows in the example you posted. About the authentication of Azure Container Registry, there are two ways you can choose.
One is that use the user and password which shows in your ACR on the Azure portal.
Another is that you can use the Azure Service Principal, you can set the permission for the user. Follow document Azure Container Registry authentication with service principals. I would suggest this way much more than the first because it's safer.
It's just an advice. Hope this will help you and if you need more help please show me the message.
I followed the guide here (Grant AKS access to ACR), but am still getting "unauthorized: authentication required" when a Pod is attempting to pull an image from ACR.
The bash script executed without any errors. I have tried deleting my Deployment and creating it from scratch kubectl apply -f ..., no luck.
I would like to avoid using the 2nd approach of using a secret.
The link you posted in the question is the correct steps for Authenticate with Azure Container Registry from Azure Kubernetes Service. I tried before and it works well.
So I suggest you can check if the service-principal-ID and service-principal-password are correct in the command kubectl create secret docker-registry acr-auth --docker-server <acr-login-server> --docker-username <service-principal-ID> --docker-password <service-principal-password> --docker-email <email-address>. And the secret you set in the yaml file should also be check if the same as the secret you created.
Jeff & Charles - I also experienced this issue, but found that the actual cause of the issue was that AKS was trying to pull an image tag from the container registry that didn't exist (e.g. latest). When I updated this to a tag that was available (e.g. 9) the deployment script on azure kubernetes service (AKS) worked successfully.
I've commented on the product feedback for the guide to request the error message context be improved to reflect this root cause.
Hope this helps! :)
In my case, I was having this problem because my clock was out of sync. I run on Windows Subsytem for Linux, so running sudo hwclock -s fixed my issue.
See this GitHub thread for longer discussion.
In my case, the Admin User was not enabled in the Azure Container Registry.
I had to enable it:
Go to "Container registries" page > Open your Registry > In the side pannel under Settings open Access keys and switch Admin user on. This generates a Username, a Password, and a Password2.
No matter what I do I can't push images to google repository. I followed this guide and I do these commands directly from the google cloud shell
docker build -t eu.gcr.io/[project-id]/[imagename]:[tag] ~/[folder]
docker tag eu.gcr.io/[project-id]/[imagename]:[tag] eu.gcr.io/[project-id]/[imagename]:[tag]
docker push eu.gcr.io/[project-id]/[imagename]:[tag]
I get this output when pushing
4d1ea31bd998: Preparing
03b6a2b0817c: Preparing
104044bed4c7: Preparing
2222fefcbbfc: Preparing
75166708bd17: Preparing
5eefc1b802bb: Waiting
5c33df241050: Waiting
ffc4c11463ee: Waiting
denied: Unable to access the repository, please check that you have permission to access it.
I've search for this online but everyone seems to have authentication issues. Since I can't execute this neither from my local machine or the google cloud shell I don't think there's a problem there since when I'm on the shell I'm using the owner account [owner]#[project-id]. I have billing and Container Registry API active
From my understanding pushing should create a bucket for this but I even tried creating a bucket but I have no idea if and how to configure it to be used for image repository. I have billing and Container Registry API activated
You probably did not authenticate with the registry. Please try to login before pushing. Just type in the console and enter your credentials:
docker login eu.gcr.io
I try to push my docker container to the google container registry, using this tutorial, but when I run
gcloud docker push b.gcr.io/my-bucket/image-name
I get the error :
The push refers to a repository [b.gcr.io/my-bucket/my-image] (len: 1)
Sending image list
Error: Status 403 trying to push repository my-bucket/my-image: "Access denied."
I couldn't find any more explanation (no -D, --debug, --verbose arguments were recognized), gcloud auth list and docker info tell me I'm connected to both services.
Anything I'm missing ?
You need to make sure the VM instance has enough access rights. You can set these at the time of creating the instance, or if you have already created the instance, you can also edit it (but first, you'll need to stop the instance). There are two ways to manage this access:
Option 1
Under the Identity and API access, select Allow full access to all Cloud APIs.
Option 2 (recommended)
Under the Identity and API access, select Set access for each API and then choose Read Write for Storage.
Note that you can also change these settings even after you have already created the instance. To do this, you'll first need to stop the instance, and then edit the configuration as mentioned above.
Use gsutil to check the ACL to make sure you have permission to write to the bucket:
$ gsutil acl get gs://<my-bucket>
You'll need to check which group the account you are using is in ('owners', 'editors', 'viewers' etc.)
EDIT: I have experienced a very similar problem to this myself recently and, as #lampis mentions in his post, it's because the correct permission scopes were not set when I created the VM I was trying to push the image from. Unfortunately there's currently no way of changing the scopes once a VM has been created, so you have to delete the VM (making sure the disks are set to auto-delete!) and recreate the VM with the correct scopes ('compute-rw', 'storage-rw' seems sufficient). It doesn't take long though ;-).
See the --scopes section here: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create
I am seeing this but on an intermittent basis. e.g. I may get the error denied: Permission denied for "latest" from request "/v2/...."., but when trying again it will work.
Is anyone else experiencing this?
For me I forgot to prepend gcloud in the line (and I was wondering how docker would authenticate):
$ gcloud docker push <image>
In your terminal, run the code below
$ sudo docker login -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://[HOSTNAME]
Where
-[HOSTNAME] is your container registry location (it is either gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io). Check your tagged images to be sure by running $ sudo docker images).
If this doesn't fix it, try reviewing the VM's access scopes.
If you are using Docker 1.7.0, there was a breaking change to how they handle authentication, which affects users who are using a mix of gcloud docker and docker login.
Be sure you are using the latest version of gcloud via: gcloud components update.
So far this seems to affect gcloud docker, docker-compose and other tools that were reading/writing the Docker auth file.
Hopefully this helps.
Same problem here, the troubleshooting section from https://cloud.google.com/tools/container-registry/#access_denied wasn't very helpful. I have Docker and GCloud full updated. Don't know what else to do.
BTW, I'm trying to push to "gcr.io".
Fixed. I was using a VM in compute engine as my development machine, and looks like I didn't give it enough rigths in Storage.
I had the same problem with access denied and I resolved it with creating new image using Tag:
docker tag IMAGE_WITH_ACCESS_DENIED gcr.io/my-project/my-new-image:test
After that I could PUSH It to Container registry:
gcloud docker -- push gcr.io/my-project/my-new-image:test
Today I also got this error inside Jenkins running on Google Kubernetes Engine when pushing the docker container. The reason was a node pool node version upgrade from 1.9.6-gke.1 to 1.9.7-gke.0 in gcp I did before. Worked again after the downgrade.
You need to login to gcloud from the machine you are:
gcloud auth login