Access denied pushing images to gcr repository - docker

No matter what I do I can't push images to google repository. I followed this guide and I do these commands directly from the google cloud shell
docker build -t eu.gcr.io/[project-id]/[imagename]:[tag] ~/[folder]
docker tag eu.gcr.io/[project-id]/[imagename]:[tag] eu.gcr.io/[project-id]/[imagename]:[tag]
docker push eu.gcr.io/[project-id]/[imagename]:[tag]
I get this output when pushing
4d1ea31bd998: Preparing
03b6a2b0817c: Preparing
104044bed4c7: Preparing
2222fefcbbfc: Preparing
75166708bd17: Preparing
5eefc1b802bb: Waiting
5c33df241050: Waiting
ffc4c11463ee: Waiting
denied: Unable to access the repository, please check that you have permission to access it.
I've search for this online but everyone seems to have authentication issues. Since I can't execute this neither from my local machine or the google cloud shell I don't think there's a problem there since when I'm on the shell I'm using the owner account [owner]#[project-id]. I have billing and Container Registry API active
From my understanding pushing should create a bucket for this but I even tried creating a bucket but I have no idea if and how to configure it to be used for image repository. I have billing and Container Registry API activated

You probably did not authenticate with the registry. Please try to login before pushing. Just type in the console and enter your credentials:
docker login eu.gcr.io

Related

Working with Jenkins and GHCR; can a github app authenticate to push a docker image?

We are trying to setup a workflow using Jenkins to build docker images using code that is onto github and push it back onto it.
We have setup a github app for jenkins to use to access the code repository/branches/PR, but it seems although i have given the github app the 'package' permission, i am incapable of using the same credentials to push a package. I have not managed to do a 'docker login' using the credentials, nor using the 'withRegistry' wrapper in the jenkins file.
We do set the GHCR_Credentials in the environment
pipeline {
agent any
environment {
GHCR_CREDENTIALS=credentials('github-app-creds')
}
And then we try pushing the built image using :
docker.withRegistry('https://ghcr.io', GHCR_CREDENTIALS) {
dockerImageBuild.push()
}
It fails and i get an error :
Error response from daemon: Get "https://ghcr.io/v2/": denied: denied
Is it possible to use credentials to push docker images? If so, how? Otherwise i will have to default using a PAT, but it'll be bound to my account and not the organisation, which isn't practical.

docker push to google cloud GCP fails with name unknown: Buckets

Trying to push a local image to a google cloud project, which fails with this error. Any help?
$ docker push gcr.io/myprojectID/myrstudio:latest
The push refers to repository [gcr.io/ myprojectID /myrstudio]
07fc541c7837: Preparing
5f40edd3a036: Preparing
8243f7003c86: Preparing
55903d33bbd7: Preparing
6f15325cc380: Preparing
1e77dd81f9fa: Preparing
030309cad0ba: Preparing
1e77dd81f9fa: Waiting
030309cad0ba: Waiting
6f15325cc380: Layer already exists
1e77dd81f9fa: Layer already exists
030309cad0ba: Layer already exists
55903d33bbd7: Pushed
07fc541c7837: Pushed
5f40edd3a036: Pushed
8243f7003c86: Pushed
name unknown: Buckets(myprojectID ,artifacts. myprojectID.appspot.com)
Looks like something was pushed, but at some point failing...
EDIT: running wind 10 version 20H2 (OS build 19042.1288)
When you perform a docker push to Google Container Registry your image is stored inside a bucket in your project;
Container Registry uses Cloud Storage buckets as the underlying storage for container images. You control access to your images by granting permissions to the bucket for a registry.
If this is a first time that you try to push an image - the account you're using must have Storage Admin role. That's because a bucket that will store your images has to be created.
Have a look at the documentation that describes all the steps to grant necessary permissions.
If you're not familiar with GCP Cloud Storage then have a look at the guide describing how to use GCP's storage buckets.
Also you may consider trying out Artifact Registry which gives you more control over your images.

How to push image to Docker Hub

I can't push my local image to Docker hub. I checked every topics in here but still couldn't solve it.
My local image is like below;
[root#DOCKER2Demo]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
companyrepo123/man-demo latest b86sbfd26 41 minutes ago 5.31GB
So I want to push this image to the "companyrepo123/man-demo:latest" repository.
So I login successfully with "docker login" and run the command below
docker push companyrepo123/man-demo:latest
But gives the error below;
The push refers to repository [docker.io/companyrepo123/man-demo]
82bb2b81506d: Preparing
0ae79b7db02c: Preparing
df9824e71502: Preparing
d384c5326457: Preparing
da1504cd9d9b: Preparing
976e766378b6: Waiting
8154f91c38f9: Waiting
a74cf09880c3: Waiting
1c0efef42405: Waiting
1417e6a7c4fd: Waiting
79ac04ef09ff: Waiting
77b174a6a187: Waiting
denied: requested access to the resource is denied
I already login. Tried to logout and login and but still same.
Please noticed that my username is not "companyrepo123". This is our company's repository, my username to login Docker hub is "yatta".
How can I push that image?
Regards.
You need to push to a repository under your namespace in Docker Hub, where the first part of that path is your username or organization. So myrepo123 would be your username.
Next, you'll want to create the repository, myrepo123/man-demo on Docker Hub (from the web interface), and if this is under an organization, make sure your user has access to push to that repo within the organization.
If you've done that, then make sure you have logged into Docker Hub, with the correct username, using:
docker login
If you have enabled 2fa on Hub, the password for this is an access token you generate from the web page.

denied: requested access to the resource is denied when pushing image to gitlab registry

I'm trying to push an image to gitlab registry.
I've done it many times, so I wonder why I get this error.
I build the image with latest tag:
Successfully tagged registry.gitlab.com/mycompany/rgpd_api:latest
Then I login and I push:
docker login registry.gitlab.com -u gitlab+deploy-token-91931
docker push registry.gitlab.com/mycompany/rgpd_api:latest
But I get:
The push refers to repository [registry.gitlab.com/mycompany/rgpd_api]
be679cc302b9: Preparing
denied: requested access to the resource is denied
I gave gitlab+deploy-token-91931 token both read_repository and read_registry rights.
My repo is:
https://gitlab.com/mycompany/rgpd_api
I checked with docs page: https://docs.gitlab.com/ee/user/project/container_registry.html
But when I do it through Gitlab CI, with gitlab-ci-token
I can push it normally.
I also tried to regenerate a new token, but still same issue.
How can I fix it ?
I've stumbled upon this question as well and it turns out that
Group level Deploy tokens can be used to push images to group level container registry similarly to a PAT token with API access or other applicable scopes.
The image must to be tagged with the tag that matches an existing project within the group.
Any image tagged differently will be rejected with the denied: requested access to the resource is denied error message.
So, with the setup below:
GitLab group called mytest
Project within that group called hello-world
Docker image tagged as registry.gitlab.com/mytest/hello-world
Deploy token created for an entire group
Docker daemon authorized to push to that registry by cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com
You will get the following results:
Successful push for docker push registry.gitlab.com/mytest/hello-world because such project exists within the group
denied: requested access to the resource is denied if you try to push an image tagged with the name of the project that does not exist in the group like docker push registry.gitlab.com/mytest/no-project
So, again, image must be tagged to match an existing path within te group, like an existing project within the group or a subgroup.
My error was to use a deploy token to push a image to a registry.
A deploy token can be used to pull an image, but not push it.
So, instead, you can generate a Personal Access Token. You should add at least permissions:
read_registry, write_registry
Make sure you have proper configuration in settings.
Go to Settings of project, then "Visibility, project features, permissions" and check "Container registry : Every project can have its own space to store its Docker images" (for members only or for everyone, up to you). Otherwise, the push and pull will be denied.
This happened to me and that's how I solved it.
you can make docker logout your registry and login again.
It's recreate your token.
this work in my case.

GitLab Docker Registry Push Failed - Access Denied

I'm having trouble pushing to GitLab Container Registry.
I can login successfully using my username and a personal access token but when I try to push the image to the registry, I get the following error:
$ docker push registry.gitlab.com/[groupname]/dockerfiles/nodemon
The push refers to a repository
[registry.gitlab.com/[groupname]/dockerfiles/nodemon]
15d2ea6e1aeb: Preparing
2260f979a949: Preparing
f8e848bb8c20: Preparing
740a5345706a: Preparing
5bef08742407: Preparing
denied: requested access to the resource is denied
I assume the issue is not with authentication because when I run a docker login registry.gitlab.com, I get a Login Succeeded message.
Where is the problem?
How should I push my images to GitLab Container Registry?
I got it working by including api scope to my personal access token.
The docs states The minimal scope needed is read_registry. But that probably applies for read only access.
Reference: https://gitlab.com/gitlab-com/support-forum/issues/2370#note_44796408
In my case it was really dumb, maybe even a gitlab bug :
I renamed the gitlab project after the creation of the container registry, so the container registry url was still with the old name ...
The project name under gitlab had the typo error corrected but not the registry link and it led to this error
Had a similar issue, it was because of the url that was used for tagging and pushing the repo.
It should be
docker push registry.gitlab.com/[account or group-name]/[reponame]/imagename
It was previously a correct answer to say that the personal access token needs to include the api permission, and several answers on this page say exactly that.
Recently, GitLab appear to have improved the granularity of their permission system. So if you want to push container images to the GitLab Docker registry, you can create a token merely with the read_registry and write_registry permissions. This is likely to be a lot safer than giving full permissions.
I have tested this successfully today.
Enable the personal access token by adding api scope as per this guidelines. After creating the token and username, use these credentials for logging into the Docker environment or pushing.
Deploy tokens created under CI/CD setup is not sufficient for pushing the image to a Docker registry.
I had the same issue.
In my case, the issue was I had AutoDevOps enabled before, which seem to generate a deploy token automatically.
Now deploy tokens are just API keys basically for deployment.
But GitLab has a special handling for gitlab-deploy-token which you can then access via $CI_DEPLOY_USER and $CI_DEPLOY_PASSWORD as a predefined variable.
However, I did not double-check the default token.
In my case, it only had read_registry, of course though, it also needs write_registry permissions.
If you do this, then you can follow the official documentation.
Alternatively, you can apparently also switch to $CI_REGISTRY_USER and $CI_REGISTRY_PASSWORD, which are ephemeral, however.

Resources