Google Container Registry - unauthorized, struggling to authenticate - docker

Recently got a new Mac, and now I am struggling to push docker containers to GCR - receiving the error:
unauthorized: You don't have the needed permissions to perform this operation, and you
may have invalid credentials. To authenticate your request, follow the steps in:
https://cloud.google.com/container-registry/docs/advanced-authentication
Commands that led to this error:
docker build -t our-node-container ./
docker tag our-node-container gcr.io/our-gcp-project/our-grc-images-directory
docker push gcr.io/our-gcp-project/our-grc-images-directory
Confirming that:
I have a GCP account with billing, have enabled the Container Registry API and installed Cloud SDK, and have Docker installed.
I have authenticated with gcloud auth login, which opened a window where I selected my email address associated with the GCP account. It led to this page.
and afterwards, I ran gcloud config set project our-gcp-project. I have closed my terminal window and attempted to docker push again, but continue to get this unauthorized error. How else can I troubleshoot this in an effort to solve the problem?

As is standard, we solved the issue just moments after posting the question. Rather than deleting the question, I'll post an answer incase anyone runs into same issue.
We simply missed the last step, which was to run gcloud auth configure-docker to update the config file in /home/.docker/config.json

Related

401 error when using docker push to private registry (Heroku Registry)

While following Heroku's docs for how to push a docker image to their registry, I keep running into this error:
> docker push registry.heroku.com/<MY-APP>/web cd
Using default tag: latest
The push refers to repository [registry.heroku.com/<MY-APP>/web]
e0d052f1dc62: Preparing
41ec0e96eb83: Preparing
d081ada49467: Waiting
73c3e7ef7bc6: Waiting
unauthorized: authentication required
I continue to get a Login Succeeded whenever I try to use docker login, so I'm not sure what the issue is.
I tried to debug using the Docker Daemon logs but those weren't helpful.
Turns out I was bitten by what I'd consider to be a bug with the Heroku registry that stems from a debate about how to deny the user properly when they're logged in but try to access a resource that either doesn't exist or isn't theirs so that sensitive info, like the existence of a resource, isn't exposed (check this summary if you're interested).
TL;DR - Heroku shuold be sending a 404 but send a 401 instead - Go make the app via the UI and then try again.

Getting unauthorised access when trying to logging in to acr

I am trying to build a gitlab-ci pipeline and push the build image to acr from gitlab. I am using the command
docker login ****.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password EXPOSE_TOKEN
It has worked before many times but this time it is not working.
I am getting the error :
'Error response from daemon: Get https://****.azurecr.io/v2/: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.`
I am also tying to deploy the image to aks but getting the same error. I have executed my pipeline many times and this is the first time that I am getting this error.
Update
The issue got resolved after I updated the expose-token value. The value of expose-token gets changed at regular intervals. This was the same issue I faced, I updated my command with the new value and it worked fine.
Just for info:
To get the value of the expose-token please run the below command in your azure cli
az acr login --name <acr-username> --expose-token

action: push: unauthorized to access repository docker harbor registry

I’m trying to push to harbor registry 2.2.
It works with ssl and the storage is on locally mounted NFS share.
The error I get is: unauthorized to access repository: test/flask, action: push: unauthorized to access repository: test/flask, action push.
I tried to push with the admin user to project that I’ve created it with.
I tried to change the permission of the nfs share and it didn’t work.
The registry is on compose and not on Kubernetes.
Had the same inexplicable issue, just started happening one day after several months with no issues. Required me to explicitly logout of Harbor registry and then login.
docker logout registry.example.com
docker login registry.example.com
After this sequence, the "unauthorized to access" went away, and pushes began working again.
I had the similar problem and the solution was docker login registry.example.com .
I had the same issue. In my case, the problem was that the username and password that were used in the GitLab pipeline were protected. This means that they were only shared with pipelines from a protected branch like master for example. Since I was testing my changes in the pipeline in a feature branch, all I had to do was to go to variable settings and uncheck the protected flag for harbor user and password so it can be shared with the pipelines that were running from feature branches.

Permission issues while docker push

I'm trying to push my docker image to google container image registry but get an error which says I do not have the needed permission to perform this operation.
I have already tried gcloud auth configure-docker but it doesn't work for me.
I first build the image using:
docker build -t gcr.io/trynew/hello-world-image:v1 .
Then I'm trying to attach a tag and push it:
docker push gcr.io/trynew/hello-world-image:v1
This is my output :
The push refers to repository [gcr.io/trynew/hello-world-image]
e62774cdb1c2: Preparing
0f6265b750f3: Preparing
f82351274ce3: Preparing
31a16430afc8: Preparing
67298499a3ed: Preparing
62d5f39c8fe4: Waiting
9f8566ee5135: Waiting
unauthorized: You don't have the needed permissions to perform this
operation, and you may have invalid credentials.
To authenticate your request, follow the steps in:
https://cloud.google.com/container-registry/docs/advanced-authentication
Google cloud services have specific information how to grant permissions for docker push, this is the first thing you should have a look I think, https://cloud.google.com/container-registry/docs/access-control
After checking that you have sufficient permissions you should proceed with authentication with something like:
gcloud auth configure-docker
See more here: https://cloud.google.com/container-registry/docs/pushing-and-pulling
If you are running docker as root (i.e. with sudo docker), then make sure to configure the authentication as root. You can run for example:
sudo -s
gcloud auth login
gcloud auth configure-docker
...that will create (or update) a file under /root/.docker/config.json.
(Are there any security implications of gcloud auth login as root? Let me know in the comments.)
In order to be able to push images to the private registry you need two things: API Access Scopes and Authenticate your VM with the registry.
For the API Access Scopes (https://cloud.google.com/container-registry/docs/using-with-google-cloud-platform) we can read in the official documentation:
For GKE:
By default, new Google Kubernetes Engine clusters are created with
read-only permissions for Storage buckets. To set the read-write
storage scope when creating a Google Kubernetes Engine cluster, use
the --scopes option.
For GCE:
By default, a Compute Engine VM has the read-only access scope
configured for storage buckets. To push private Docker images, your
instance must have read-write storage access scope configured as
described in Access scopes.
So first, verify if your GKE cluster or GCE instance actually has the proper scopes set.
The next is to authenticate to the registry:
a) If you are using a Linux based image, you need to use "gcloud auth configure-docker" (https://cloud.google.com/container-registry/docs/advanced-authentication).
b) For Container-Optimized OS (COS), the command is “docker-credential-gcr configure-docker” (https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#accessing_private_google_container_registry)
Windows / Powershell
I got this error on Windows when I was trying to run docker push from a normal powershell window after authenticating in the google cloud shell that had opened when I installed the SDK.
The solution was simple:
Start a new powershell window to run docker push after running the gcloud auth configure-docker command.
Make sure you've activated the registry too:
gcloud services enable containerregistry.googleapis.com
Also Google has a tendency to jump to a default account (maybe your personal gmail) which may or may not be the one you want (your business email). Make sure if you're opening any links in a browser that you're in the correct Google account.
I'm not exactly sure what's going on yet because I'm brand new to docker, but something got refreshed when starting a new Powershell instance.
as noted https://stackoverflow.com/a/59799035/26283371 there appears to be a bug in the Linux version of cloud sdk where authentication fails using the standard authentication method (gcloud auth configure-docker). Instead, create a JSON keyfile per this and that tends to work.
I still can't get the gcloud auth configure-docker helper to work. What did was authenticating with an access token, like so
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://HOSTNAME
where HOSTNAME is gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io. (Be sure to include https://, otherwise it won't work).
You can view options for print-access-token here.
First thing, Make sure you covered all points listed in the following official documentation
https://cloud.google.com/container-registry/docs/advanced-authentication
This error occurs mostly due to docker config update, which you can check using command cat .docker/config.json
Now update with gcr with following command
gcloud auth configure-docker
Just in case anyone else is banging their head against a wall my PIA VPN caused this behavior.
"unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"
Turn my VPN off and it works fine. Turn it back on and it breaks again.
This is the only way that worked for me. I found it in a kubernetes/kompose Github issue.
Remove the credsStore key in ~/.docker/config.json
This will force docker to write the auth into the json when you use docker login. You can't untick Securely store Docker logins in macOS keychain in the docker desktop any more -- and the current credStore is no longer macOS keychain, it's desktop.
gcloud auth login Auth with gcloud (just to be explicit)
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io
You should see this:
WARNING! Your password will be stored unencrypted in /Users/andrew/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Source: https://github.com/kubernetes/kompose/issues/1043#issuecomment-609019141
The fix is as follows: run gcloud auth login (the browser will open and allow you to authenticate) then run gcloud auth configure-docker and select Y - then redo push. It should work like charm.
I also have the same issue in the Linux environment. So I just set the Docker to run as a non-root user, (https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user), and it works.
In my case DOCKER_CONFIG env variable was defined with an invalid value (not pointing to a docker config json).
I had the same issue, but for me, the problem was with internal users in my Linux system. I authenticated with gcloud my personal Linux user and when pushing, I was doing with root. So I had to authenticate my root user with gcloud as well:
sudo gcloud init
This issue happens to me when i switch service account which is pointing to different GCP Projects. Even though the service account has permission to push it says it does not have the permission. To resolve this by deleting config.json file which is present in .docker
Once this is done run the below commands and you should be able to push the image.
gcloud auth configure-docker
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://HOSTNAME
Where HOSTNAME= gcr.io , asia.gcr.io etc

Docker hello-world: authentication error

I'm just getting started with docker. I'm following the instructions specified here https://docs.docker.com/windows/step_one/
I installed docker (1.10.2) on windows 10 & ran docker run hello-world . But, I'm getting an authentication error while the tutorial doesn't mentioned anything about it.
Here's the message I received.
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
docker: Error response from daemon: Authentication is required: Get https://registry-1.docker.io/v2/library/hello-world/manifests/latest: unauthorized: incorrect username or password.
See 'C:\Program Files\Docker Toolbox\docker.exe run --help'.
I searched google & here, but couldn't find anything similar to this error message.
Thanks!
Please run docker login at first time when you run any other docker commands.
You can log into any public or private repository for which you have credentials. When you log in, the command stores encoded credentials in $HOME/.docker/config.json on Linux or%USERPROFILE%/.docker/config.json on Windows.
If you login through your emailId it does not works.
On windows login using your docker hub id.
You can access by your username.
Probably it can happen if you were logged in before, by console or by kitematic.
You can try docker logout if you want use docker without auth.
In this case Authentication is required: shouldn't appear again.
I have solved this issue in macOS Mojave (version : 10.14.3)
docker login
Login with your username not email id then its working fine.
On macOS you need to login from the commandline using
docker login
Also you must use your username and not your email
on ubuntu:
docker login
so if you don't know your username password, you probably haven't created one.
what you should do, is go and create an id on docker
visit: official docker webpage
just like any other github accout ,they will ask you for the username, provide one and they will authenticate same as github, once done , put your email and password. verify it and you are now good to go.
ok! now coming to the point...
if you were facing the problem like the problem statement ,
just do
docker login
enter username and password, that you just provided .
you will be displayed ,"LOGIN succeeded"
now run this command
docker run hello-world
beware of the dash '-' sign , i myself stuck with this issue, and you are done.
thanks:)
run docker login to execute any other docker commands. or just logout if you want to use public hubs docker logout
For worked trying docker logout and then docker login with the proper credentials
For those who logged in via their email address associated with their account during the Docker desktop installation process - this problem seems to occur because the terminal has also stored those credentials, but for some reason it only accepts login's via your actual username.
If you go to DockerHub you should see it in the upper right corner.
Try running docker login with that username, and you should be all set!
docker login
# username from dockerhub
# the same password
Setting my vNAT for docker dns server to 8.8.8.8 resolved my issue on windows just try might help thanks

Resources