Unable to run gcloud docker push from google compute engine instance - docker

When I do gcloud docker push i get the following error.
denied: Unable to create the repository, please check that you have access to do so.
gcloud info shows correct project name as configured in gcloud.
Can somebody please guide me with this issue? Or suggest an alternative.
I have tried directly logging in without gcloud, login succeeds but push fails
$docker login -e 2983212121577-compute#developer.gserviceaccount.com -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://gcr.io
Flag --email has been deprecated, will be removed in 1.14.
Login Succeeded
$ docker push gcr.io/project/imagename
...
denied: Unable to create the repository, please check that you have access to do so.
$ gcloud --version
Google Cloud SDK 147.0.0
$ docker --version
Docker version 17.03.0-ce, build 3a232c8

If you do
gcloud docker -- push gcr.io/X/Y
you will need to have permission to write to the GCP named 'X'. Typically you will need to be added to that project as a project EDITOR.
In this case GCR does not complain about the project shown by 'gcloud info'.

Related

Google Container Registry permission

I am trying to push docker image to GCP, but i am still getting this error:
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I follow this https://cloud.google.com/container-registry/docs/quickstart step by step and everything works fine until docker push
It's clear GCP project
I've already tried:
use gcloud as a Docker credential helper:
gcloud auth configure-docker
reinstall Cloud SDK and gcloud init
add Storage Admin role to my account
What I am doing wrong?
Thanks for any suggestions
If it can help those in the same situation as me:
Docker 19.03
Google cloud SDK 288.0.0
Important: My user is not in a docker user group. I then have to prepend sudo before any docker command
When gcloud and docker are not using the same config.json
When I use gcloud credential helper:
gcloud auth configure-docker
it updates the JSON config file in my $HOME: [/home/{username}/.docker/config.json]. However, when logging out and login again from Docker CLI,
sudo docker login
The warning shows a different path, which makes sense as I sudo-ed:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
sudo everywhere
To fix it, I did the following steps:
# Clear everything
sudo docker logout
sudo rm /root/.docker/config.json
rm /home/{username}/.docker/config.json
# Re-login
sudo docker login
sudo gcloud auth login --no-launch-browser # --no-launch-browser is optional
# Check both Docker CLI and gcloud credential helper are here
sudo vim /root/.docker/config.json
# Just in case
sudo gcloud config set project {PROJECT_ID}
I can now push my Docker images to both GCR and Docker hub

docker push to gcr.io fails with "denied: Token exchange failed for project"

I've discovered a flow that works through GCP console but not through the gcloud CLI.
Minimal Repro
The following bash snippet creates a fresh GCP project and attempts to push an image to gcr.io, but fails with "access denied" even though the user is project owner:
gcloud auth login
PROJECT_ID="example-project-20181120"
gcloud projects create "$PROJECT_ID" --set-as-default
gcloud services enable containerregistry.googleapis.com
gcloud auth configure-docker --quiet
mkdir ~/docker-source && cd ~/docker-source
git clone https://github.com/mtlynch/docker-flask-upload-demo.git .
LOCAL_IMAGE_NAME="flask-demo-app"
GCR_IMAGE_PATH="gcr.io/${PROJECT_ID}/flask-demo-app"
docker build --tag "$LOCAL_IMAGE_NAME" .
docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH"
docker push "$GCR_IMAGE_PATH"
Result
The push refers to repository [gcr.io/example-project-20181120/flask-demo-app]
02205dbcdc63: Preparing
06ade19a43a0: Preparing
38d9ac54a7b9: Preparing
f83363c693c0: Preparing
b0d071df1063: Preparing
90d1009ce6fe: Waiting
denied: Token exchange failed for project 'example-project-20181120'. Access denied.
The system is Ubuntu 16.04 with the latest version of gcloud 225.0.0, as of this writing. The account I auth'ed with has role roles/owner.
Inconsistency with GCP Console
I notice that if I follow the same flow through GCP Console, I can docker push successfully:
Create a new GCP project via GCP Console
Create a service account with roles/owner via GCP Console
Download JSON key for service account
Enable container registry API via GCP Console
gcloud auth activate-service-account --key-file key.json
gcloud config set project $PROJECT_ID
gcloud auth configure-docker --quiet
docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH" && docker push "$GCR_IMAGE_PATH"
Result: Works as expected. Successfully pushes docker image to gcr.io.
Other attempts
I also tried using gcloud auth login as my #gmail.com account, then using that account to create a service account with gcloud, but that gets the same denied error:
SERVICE_ACCOUNT_NAME=test-service-account
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"
KEY_FILE="${HOME}/key.json"
gcloud iam service-accounts keys create "$KEY_FILE" \
--iam-account "${SERVICE_ACCOUNT_NAME}#${PROJECT_ID}.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member "serviceAccount:${SERVICE_ACCOUNT_NAME}#${PROJECT_ID}.iam.gserviceaccount.com" \
--role roles/owner
gcloud auth activate-service-account --key-file="${HOME}/key.json"
docker push "$GCR_IMAGE_PATH"
Result: denied: Token exchange failed for project 'example-project-20181120'. Access denied.
I tried to reproduce the same error using bash snippet you provided, however it successfully built the ‘flask-demo-app’ container registry image for me. I used below steps to reproduce the issue:
Step 1: Use account which have ‘role: roles/owner’ and ‘role: roles/editor’
Step 2: Created bash script using your given snippet
Step 3: Added ‘gcloud auth activate-service-account --key-file skey.json’ in script to authenticate the account
Step 4: Run the bash script
Result : It created the ‘flask-demo-app’ container registry image
This leads me to believe that there might be an issue with your environment which is causing this error for you. To troubleshoot this you could try running your code on a different machine, a different network or even on the Cloud Shell.
In my case project IAM permission was the issue. Make sure proper permission given and also cloud resource/container registry API enabled.
GCP Access Control

Access Docker Container from project registry

So I have my docker image uploaded to my projects registry. I can navigate to https://console.cloud.google.com/gcr/images/ and I see my Image listed there.
Now I want to run a VM on this project and on this one use docker to run this very image.
This is the command within my VM:
sudo /usr/bin/docker run eu.gcr.io/my-project-name/example001
The response is:
Unable to find image 'eu.gcr.io/.../example001:latest' locally
/usr/bin/docker: Error response from daemon: unauthorized: You don't have the needed permissions to perform this op
eration, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.goo
gle.com/container-registry/docs/advanced-authentication.
See '/usr/bin/docker run --help'.
Please see the image attached. I can list my images if I define "eu.gcr.io/..." as my project path. However the machine seems to run on ".gcr.io" so therefor not able to access my image? How would I fix this - and why is my image on "eu.gcr.io" and the machine on ".gcr.io", I cant find a method to change this (either move the image to gcr.io or move the machine to, eu.gcr.io). However I'm not sure if this is the issue.
Maybe it is an authentication issue with docker?
VM basically cannot be on ".gcr.io", it can run in non-European region/zone, but it shouldn't be a problem.
From GCP access control point of view registry is just a bucket.
So I believe first thing you need to check is that VM has access to Google Cloud Storage.
With gcloud:
gcloud compute instances describe <instance-name>
check if VM has scope to read from devstorage:
serviceAccounts:
- email: ...-compute#developer.gserviceaccount.com
scopes:
- https://www.googleapis.com/auth/devstorage.read_only
- ...
This scope should be in place to read from registry:
https://www.googleapis.com/auth/devstorage.read_only
If you don't have such scope on VM, but have there gcloud configured, you can use gcloud as credential helper:
gcloud auth configure-docker
as stated in doc you referred: https://cloud.google.com/container-registry/docs/advanced-authentication#gcloud_as_a_docker_credential_helper
The answer is found here:
https://serverfault.com/questions/900026/gcp-no-access-to-container-registry-from-compute-engine
It is the docker command which needs the authorization. Not the hostname (eu.gcr.io) is the issue here. I used 'gcloud docker -- pull ...' command to get the image from the repository to use within my VM.
after you create linux VM on GCP, SSH to it, you have to install Google SDK 1 using Cloud SDK with scripts]1 or manually.
If you are running Ubuntu follow the documentation here if you are installing with Red Hat or CentOS follow the documentation here after finishing the Google SDK you have to Run gcloud init to initialize the SDK, just open a terminal and tape [gcloud init] you have to configure your profile. after that you have to install Docker
sudo apt-get -y install docker-ce
sudo systemctl start docker
You need to have access to the registries which you will be pushing to and pulling from.
Configured Docker to use gcloud as a credential helper. To use gcloud as the crediential helper, run the command:
gcloud auth configure-docker
After that you can pull or push images on your registry using the gcloud command with the docker as shown below:
Push: gcloud docker -- push gcr.io/google-containers/example-image:latest
pull: gcloud docker -- pull gcr.io/google-containers/example-image:latest

What's causing authentication error when pushing Docker image to Google Container Registry?

I am trying to push a Docker image to Google Container Registry from a CircleCI build, as per their instructions. However, pushing to GCR fails due to an apparent authentication error:
Using 'push eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test' for DOCKER_ARGS.
The push refers to a repository [eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test] (len: 1)
Post https://eu.gcr.io/v2/realtimemusic-147914/realtimemusic-test/realtimemusic-test/blobs/uploads/: token auth attempt for registry: https://eu.gcr.io/v2/token?account=oauth2accesstoken&scope=repository%3Arealtimemusic-147914%2Frealtimemusic-test%2Frealtimemusic-test%3Apush%2Cpull&service=eu.gcr.io request failed with status: 403 Forbidden
I've prior to pushing the Docker image authenticated the service account against Google Cloud:
echo $GCLOUD_KEY | base64 --decode > ${HOME}/client-secret.json
gcloud auth activate-service-account --key-file ${HOME}/client-secret.json
gcloud config set project $GCLOUD_PROJECT_ID
Then I build the image and push it to GCR:
docker build -t $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test -f docker/test/Dockerfile .
gcloud docker push -- $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test
What am I doing wrong here?
Have you tried using the _json_key method for authenticating with Docker?
https://cloud.google.com/container-registry/docs/advanced-authentication
After that, please use naked 'docker' (without 'gcloud').
If you are pushing docker image using google cloud sdk. You can use temporary authorization with the following command:
gcloud docker --authorize-only
The above command gives you a temporary authorization for pushing and pulling images using docker.
You can refer this link for details Gcloud docker.
Hope it helps to solve your issue.
After many retries... I solved using access token:
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://[HOSTNAME]
The service account requires permission to write to the Cloud Storage bucket containing the container registry. Granting the service account either the project editor role or write access to the bucket (via ACL) solves the issue. The latter should be preferable since the account doesn't receive wider permissions than it needs.

Creating first image on bluemix docker

I'm trying to create a simple ubuntu image on docker within Bluemix.
I have the cli setup (at the latest version) but keep getting a login prompt when trying to push the image.
My dockerfile is trivial:
FROM docker.io/ubuntu:latest
MAINTAINER My Name
RUN echo "Imaged" > /tmp/image.txt
I build it with
sudo docker build -t ubuntu
then tag it with
sudo docker tag ubuntu registry.eu-gb.bluemix.net/MYNAMESPACE/ubuntu
I login with
cf login
Then push with
[ibmcloud#analyticsadmin docker]$ sudo docker push registry.ng.bluemix.net/MYNAMESPACE/ubuntu
The push refers to a repository [registry.ng.bluemix.net/MYNAMESPACE/ubuntu] (len: 1)
Sending image list
Please login prior to push:
Username:
I'm new to bluemix/docker so user error is highly likely. Can you spot my error? My DOCKER* environment variables are set as appropriate for my bluemix container service.
It seems you missed the step to login to the IBM Containers registry, that's why docker push is asking you for the username.
After cf login you have to run the following command as well:
$ cf ic login
This will authenticate you to the IBM Containers registry so you can push your images.
Please note that ic is a plugin you have to install for the cf command line interface. If you have not installed it yet please see instructions in the following link:
https://www.ng.bluemix.net/docs/containers/container_cli_cfic.html#container_cli_cfic_install
For example to install plugin in Linux system run the following command:
$ cf install-plugin https://static-ice.ng.bluemix.net/ibm-containers-linux_x64
A typo I see in your commands is that you tag your container for sending it to the UK data center (eu-gb) then try to push it to the south US one (ng), that's why I think the second command asks you to login.

Resources