I'm having trouble pushing to GitLab Container Registry.
I can login successfully using my username and a personal access token but when I try to push the image to the registry, I get the following error:
$ docker push registry.gitlab.com/[groupname]/dockerfiles/nodemon
The push refers to a repository
[registry.gitlab.com/[groupname]/dockerfiles/nodemon]
15d2ea6e1aeb: Preparing
2260f979a949: Preparing
f8e848bb8c20: Preparing
740a5345706a: Preparing
5bef08742407: Preparing
denied: requested access to the resource is denied
I assume the issue is not with authentication because when I run a docker login registry.gitlab.com, I get a Login Succeeded message.
Where is the problem?
How should I push my images to GitLab Container Registry?
I got it working by including api scope to my personal access token.
The docs states The minimal scope needed is read_registry. But that probably applies for read only access.
Reference: https://gitlab.com/gitlab-com/support-forum/issues/2370#note_44796408
In my case it was really dumb, maybe even a gitlab bug :
I renamed the gitlab project after the creation of the container registry, so the container registry url was still with the old name ...
The project name under gitlab had the typo error corrected but not the registry link and it led to this error
Had a similar issue, it was because of the url that was used for tagging and pushing the repo.
It should be
docker push registry.gitlab.com/[account or group-name]/[reponame]/imagename
It was previously a correct answer to say that the personal access token needs to include the api permission, and several answers on this page say exactly that.
Recently, GitLab appear to have improved the granularity of their permission system. So if you want to push container images to the GitLab Docker registry, you can create a token merely with the read_registry and write_registry permissions. This is likely to be a lot safer than giving full permissions.
I have tested this successfully today.
Enable the personal access token by adding api scope as per this guidelines. After creating the token and username, use these credentials for logging into the Docker environment or pushing.
Deploy tokens created under CI/CD setup is not sufficient for pushing the image to a Docker registry.
I had the same issue.
In my case, the issue was I had AutoDevOps enabled before, which seem to generate a deploy token automatically.
Now deploy tokens are just API keys basically for deployment.
But GitLab has a special handling for gitlab-deploy-token which you can then access via $CI_DEPLOY_USER and $CI_DEPLOY_PASSWORD as a predefined variable.
However, I did not double-check the default token.
In my case, it only had read_registry, of course though, it also needs write_registry permissions.
If you do this, then you can follow the official documentation.
Alternatively, you can apparently also switch to $CI_REGISTRY_USER and $CI_REGISTRY_PASSWORD, which are ephemeral, however.
Related
I am trying to push docker image from jenkins configured on compute engine with default service account. But it is failing with this error:
[Docker] ERROR: failed to push image gcr.io/project-id/sms-impl:work ERROR: Build step failed with exception com.github.dockerjava.api.exception.DockerClientException: Could not push image: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
What do I need to do?
To authenticate to Container Registry, use gcloud as a Docker credential helper. To do so, run the following command:
gcloud auth configure-docker
You need to run this command once to authenticate to Container Registry. We strongly recommend that you use this method when possible. It provides secure, short-lived access to your project resources. Please follow steps as link 1.
At the bottom of the page that was linked, you will see a further link to Using GCR with GCP, in particular, this section describes what you need to do.
To summarize, the service account needs the permissions to write to the storage bucket for GCR. Since you mentioned you were using the default service account, it further will need the access scopes set for that instance. The default only grants 'read' unless you have specified all scopes.
A few ways to do this:
When you create the instance using gcloud, specify --scopes https://www.googleapis.com/auth/devstorage.read_write
In the console, select the scope specifically or select "all scopes", e.g.:
(... many lines of scopes omitted ...)
You can also add the scopes after the fact, if needed, by editing the instance while it is stopped.
Note that the first push for a project may additionally require "admin" rights, in order to create the bucket.
I'm trying to push an image to gitlab registry.
I've done it many times, so I wonder why I get this error.
I build the image with latest tag:
Successfully tagged registry.gitlab.com/mycompany/rgpd_api:latest
Then I login and I push:
docker login registry.gitlab.com -u gitlab+deploy-token-91931
docker push registry.gitlab.com/mycompany/rgpd_api:latest
But I get:
The push refers to repository [registry.gitlab.com/mycompany/rgpd_api]
be679cc302b9: Preparing
denied: requested access to the resource is denied
I gave gitlab+deploy-token-91931 token both read_repository and read_registry rights.
My repo is:
https://gitlab.com/mycompany/rgpd_api
I checked with docs page: https://docs.gitlab.com/ee/user/project/container_registry.html
But when I do it through Gitlab CI, with gitlab-ci-token
I can push it normally.
I also tried to regenerate a new token, but still same issue.
How can I fix it ?
I've stumbled upon this question as well and it turns out that
Group level Deploy tokens can be used to push images to group level container registry similarly to a PAT token with API access or other applicable scopes.
The image must to be tagged with the tag that matches an existing project within the group.
Any image tagged differently will be rejected with the denied: requested access to the resource is denied error message.
So, with the setup below:
GitLab group called mytest
Project within that group called hello-world
Docker image tagged as registry.gitlab.com/mytest/hello-world
Deploy token created for an entire group
Docker daemon authorized to push to that registry by cat "<deploy_token>" | docker login -u "<token_username>" --password-stdin registry.gitlab.com
You will get the following results:
Successful push for docker push registry.gitlab.com/mytest/hello-world because such project exists within the group
denied: requested access to the resource is denied if you try to push an image tagged with the name of the project that does not exist in the group like docker push registry.gitlab.com/mytest/no-project
So, again, image must be tagged to match an existing path within te group, like an existing project within the group or a subgroup.
My error was to use a deploy token to push a image to a registry.
A deploy token can be used to pull an image, but not push it.
So, instead, you can generate a Personal Access Token. You should add at least permissions:
read_registry, write_registry
Make sure you have proper configuration in settings.
Go to Settings of project, then "Visibility, project features, permissions" and check "Container registry : Every project can have its own space to store its Docker images" (for members only or for everyone, up to you). Otherwise, the push and pull will be denied.
This happened to me and that's how I solved it.
you can make docker logout your registry and login again.
It's recreate your token.
this work in my case.
Somewhat of a GCR newbie question.
I have not been able to find any documentation on whether it is possible to push signed docker images to GCR. So I attempted it but it fails with following error below.
I first built a docker image, then tagged it to point to my project in GCR with "docker tag gcr.io/my-project/image-name:tag"
Then attempted signing using
"docker trust sign gcr.io/my-project/image-name:tag"
Error: error contacting notary server: denied: Token exchange failed for project 'gcr.io:my-project'. Please enable Google Container Registry API in Cloud Console at https://console.cloud.google.com/apis/api/containerregistry.googleapis.com/overview?project=gcr.io:my-project before performing this operation.
GCR API for my project is enabled and I have permissions to push to it.
Do I need to something more in my project in GCP to be able to push signed images OR it is just not supported?
If later, how does one (as a image consumer) verify the integrity of the image?
thanks,
J
This is currently not supported in Google Cloud Platform.
You can file a feature request to request its implementation here.
To verify an images integrity, use image digests. Basically they are cryptographic hashes associated with the image. You can compare the hash of the image you pulled with the hash you are expecting. Command reference here
Google now implements the concept of Binary Authorization and "attestations" based off of Kritis. The intention is for this to be used within your CI/CD pipeline to ensure images have been created and validated correctly.
Full docs are here but the process basically consists of signing an image via a PKIX signature and then using the gcloud tool to create an attestation.
You then specify a Binary Authorization policy on your GKE cluster to enforce which attestations are required before an image is allowed to be used within the cluster.
No matter what I do I can't push images to google repository. I followed this guide and I do these commands directly from the google cloud shell
docker build -t eu.gcr.io/[project-id]/[imagename]:[tag] ~/[folder]
docker tag eu.gcr.io/[project-id]/[imagename]:[tag] eu.gcr.io/[project-id]/[imagename]:[tag]
docker push eu.gcr.io/[project-id]/[imagename]:[tag]
I get this output when pushing
4d1ea31bd998: Preparing
03b6a2b0817c: Preparing
104044bed4c7: Preparing
2222fefcbbfc: Preparing
75166708bd17: Preparing
5eefc1b802bb: Waiting
5c33df241050: Waiting
ffc4c11463ee: Waiting
denied: Unable to access the repository, please check that you have permission to access it.
I've search for this online but everyone seems to have authentication issues. Since I can't execute this neither from my local machine or the google cloud shell I don't think there's a problem there since when I'm on the shell I'm using the owner account [owner]#[project-id]. I have billing and Container Registry API active
From my understanding pushing should create a bucket for this but I even tried creating a bucket but I have no idea if and how to configure it to be used for image repository. I have billing and Container Registry API activated
You probably did not authenticate with the registry. Please try to login before pushing. Just type in the console and enter your credentials:
docker login eu.gcr.io
I try to push my docker container to the google container registry, using this tutorial, but when I run
gcloud docker push b.gcr.io/my-bucket/image-name
I get the error :
The push refers to a repository [b.gcr.io/my-bucket/my-image] (len: 1)
Sending image list
Error: Status 403 trying to push repository my-bucket/my-image: "Access denied."
I couldn't find any more explanation (no -D, --debug, --verbose arguments were recognized), gcloud auth list and docker info tell me I'm connected to both services.
Anything I'm missing ?
You need to make sure the VM instance has enough access rights. You can set these at the time of creating the instance, or if you have already created the instance, you can also edit it (but first, you'll need to stop the instance). There are two ways to manage this access:
Option 1
Under the Identity and API access, select Allow full access to all Cloud APIs.
Option 2 (recommended)
Under the Identity and API access, select Set access for each API and then choose Read Write for Storage.
Note that you can also change these settings even after you have already created the instance. To do this, you'll first need to stop the instance, and then edit the configuration as mentioned above.
Use gsutil to check the ACL to make sure you have permission to write to the bucket:
$ gsutil acl get gs://<my-bucket>
You'll need to check which group the account you are using is in ('owners', 'editors', 'viewers' etc.)
EDIT: I have experienced a very similar problem to this myself recently and, as #lampis mentions in his post, it's because the correct permission scopes were not set when I created the VM I was trying to push the image from. Unfortunately there's currently no way of changing the scopes once a VM has been created, so you have to delete the VM (making sure the disks are set to auto-delete!) and recreate the VM with the correct scopes ('compute-rw', 'storage-rw' seems sufficient). It doesn't take long though ;-).
See the --scopes section here: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create
I am seeing this but on an intermittent basis. e.g. I may get the error denied: Permission denied for "latest" from request "/v2/...."., but when trying again it will work.
Is anyone else experiencing this?
For me I forgot to prepend gcloud in the line (and I was wondering how docker would authenticate):
$ gcloud docker push <image>
In your terminal, run the code below
$ sudo docker login -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://[HOSTNAME]
Where
-[HOSTNAME] is your container registry location (it is either gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io). Check your tagged images to be sure by running $ sudo docker images).
If this doesn't fix it, try reviewing the VM's access scopes.
If you are using Docker 1.7.0, there was a breaking change to how they handle authentication, which affects users who are using a mix of gcloud docker and docker login.
Be sure you are using the latest version of gcloud via: gcloud components update.
So far this seems to affect gcloud docker, docker-compose and other tools that were reading/writing the Docker auth file.
Hopefully this helps.
Same problem here, the troubleshooting section from https://cloud.google.com/tools/container-registry/#access_denied wasn't very helpful. I have Docker and GCloud full updated. Don't know what else to do.
BTW, I'm trying to push to "gcr.io".
Fixed. I was using a VM in compute engine as my development machine, and looks like I didn't give it enough rigths in Storage.
I had the same problem with access denied and I resolved it with creating new image using Tag:
docker tag IMAGE_WITH_ACCESS_DENIED gcr.io/my-project/my-new-image:test
After that I could PUSH It to Container registry:
gcloud docker -- push gcr.io/my-project/my-new-image:test
Today I also got this error inside Jenkins running on Google Kubernetes Engine when pushing the docker container. The reason was a node pool node version upgrade from 1.9.6-gke.1 to 1.9.7-gke.0 in gcp I did before. Worked again after the downgrade.
You need to login to gcloud from the machine you are:
gcloud auth login