I am trying to pull my Container Registry docker image but it fails with:
Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I am on a compute engine instance so I believe its already configured to pull? I also checked the service account and roles
I even added storage viewer role to my compute engine service account
What is wrong here?
In addition to permissions you need to authenticate your compute engine to connect to container registry. Please see Advanced Authentication for more details
Related
I have a parent project that has an artifact registry configured for docker.
A child project has a cloud run service that needs to pull its image from the parent.
The child project also has a service account that is authorized to access the repository via an IAM role roles/artifactregistry.writer.
When I try to start my service I get an error message:
Google Cloud Run Service Agent must have permission to read the image,
europe-west1-docker.pkg.dev/test-parent-project/docker-webank-private/node:custom-1.
Ensure that the provided container image URL is correct and that the
above account has permission to access the image. If you just enabled
the Cloud Run API, the permissions might take a few minutes to
propagate. Note that the image is from project [test-parent-project], which
is not the same as this project [test-child-project]. Permission must be
granted to the Google Cloud Run Service Agent from this project.
I have tested manually connecting with docker login and using the service account's private key and the docker pull command works perfectly from my PC.
cat $GOOGLE_APPLICATION_CREDENTIALS | docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev
> Login succeeded
docker pull europe-west1-docker.pkg.dev/bfb-cicd-inno0/docker-webank-private/node:custom-1
> OK
The service account is also attached to the cloud run service:
You have 2 types of service account used in Cloud Run:
The Google Cloud Run API service account
The Runtime service account.
In your explanation, and your screenshot, you talk about the runtime service account, the identity that will be used by the service when it runs and call Google Cloud API.
BUT before running, the service must be deployed. This time, it's a Google Cloud Run internal process that run to pull the container, create a revision and do all the required internal stuff. To do that job, a service account also exist, it's named "service agent".
In the IAM console, you can find it: the format is the following
service-<PROJECT_NUMBER>#serverless-robot-prod.iam.gserviceaccount.com
Don't forget to tick the checkbox in the upper right corner to include the Google Managed service account
If you want that this deployment service account be able to pull image in another project, grant on it the correct permission, not on the runtime service account.
The default service account that a GCP VM use has been granted storage.buckets.* and storage.objects.* roles yet I get the error that storage.buckets.create permission isn't setup.
denied: Token exchange failed for project 'test-307504'. Caller does
not have permission 'storage.buckets.create'. To configure
permissions, follow instructions at:
https://cloud.google.com/container-registry/docs/access-control
The default service account is 123456789-compute#developer.gserviceaccount.com and I've created roles related to storage and assigned to the IAM service account and I ran the command gcloud auth configure-docker. But still I'm unable to push docker images to the GCR repository.
Is there something else I should be doing after assigning the roles to refresh on the VM?
Apart from permissions, check for the access scope at the VM level.
While you are at, read up on Using the Compute Engine Default Service Account and Best Practices too.
Using okd/openshift-origin 3.11 (and previous versions) we've been unable to get anonymous image pulls working.
We've tried adding various groups to the registry-viewer role as indicated by the instructions from the merge request where the feature was added.
We've tried:
oc policy add-role-to-user registry-viewer system:anonymous -n <project>
oc policy add-role-to-user registry-viewer system:unauthenticated -n <project>
When viewing the registry in the GUI the access policy shows Anonymous: Allow all unauthenticated users to pull images
Yet this is the result when trying to pull:
docker pull docker-registry-default.$cluster/$project/$image:latest
Error response from daemon: Get https://docker-registry-default.$cluster/v2/$project/$image/manifests/latest: unauthorized: authentication required
What are we missing?
If there is a $HOME/.docker/config.json credential file on the client machine, could you try whether you can pull the image after removing the credential file (or backup) ?
Because docker pull is using $HOME/.docker/config.json by default, it can cause unexpected authorization trouble like this by authenticating as the credential file. As removing docker credential file(config.json) you can verify whether docker pull is conducted by unauthenticated.
I am having a visual studio subscription. From that I am having a benefit of accessing azure devops. I have used docker container registry for image build and push, and it is successful. Now I have changed to Azure container registry, this time image build is successful, but push failed saying unauthorized access. See below error
The push refers to repository [(registryname).azurecr.io/(myname)/myfirstproject]. unauthorized: authentication required
I have tried to select Service Principal Authentication option, but saying
**Failed to create an app in Azure Active Directory. Error: Insufficient privileges to complete the operation.**
So, I have used Managed Identity Authentication option, but the push image failed.
Is it like I have to use Service Principal Authentication option only to push the image in ACS or am I missing anything.
I can provide more information if required.
Thanks in advance.
I'm trying via Jenkins to push an image to the container repository. It was working at first, but now, I got "access denied"
docker -- push gcr.io/xxxxxxx-yyyyy-138623/myApp:master.1
The push refers to a repository [gcr.io/xxxxxxx-yyyyy-138623/myApp]
bdc3ba7fdb96: Preparing
5632c278a6dc: Waiting
denied: Access denied.
the Jenkinsfile look like :
sh("gcloud docker --authorize-only")
sh("docker -- push gcr.io/xxxxxxx-yyyyy-138623/hotelpro4u:master.1")
Remarks:
Jenkins is running in Google Cloud
If I try in Google Shell or from my computer, it's working
I followed this tutorial : https://github.com/GoogleCloudPlatform/continuous-deployment-on-kubernetes
I'm stuck while 12 hours.... I need help
That error means that the GKE node is not authorized to push to the GCS bucket that is backing your repository.
This could be because:
The cluster does not have the correct scopes to authenticate to GCS. Did you create the cluster w/ --scopes storage-rw?
The service account that the cluster is running as does not have permissions on the bucket. Check the IAM & Admin section on your project to make sure that the service account has the necessary role.
Building on #cj-cullen's answer above, you have two options:
Destroy the node pool and then, from the CLI, recreate it with the missing https://www.googleapis.com/auth/projecthosting,storage-rw scope. The GKE console does not have the capability to change the default scopes when creating a node pool from the console.
Stop each instance in your cluster. In the console, click the edit button for the instance. You should now be able to add the appropriate https://www.googleapis.com/auth/projecthosting,storage-rw scope.