9

Whenever I attempt to push a container to the Google Container Registry from my local machine, I get the following error:

denied: Unable to access the repository; please check that you have permission to access it.

If I open the Cloud Shell, I can push containers with no problems. I have tried doing "gcloud auth login" several times and it seems to make no difference. I don't have any problems running other gcloud commands locally. Any help would be greatly appreciated.

Dale Alleshouse
  • 1,627
  • 2
  • 17
  • 24
  • Today faced it ... This happened as I chose Asia data center from command line ... To resolve I deleted the project and created a new one and followed https://cloud.google.com/datastore/docs/locations and chose datacenter us-central and it resolved the issue – Neeraj Krishna Oct 24 '17 at 03:31

6 Answers6

6

FYI for other customers running into similar issues: https://github.com/docker/docker/issues/22910

There exists a bug with current versions of the Docker client (1.11, 1.12), and the default credential stores which are being enabled on new installations, which break private registries. Removing the

"credsStore": "whatever"

field from your docker config (e.g. ~/.docker/config.json) and running

gcloud docker ...

should fix the issue.

Update:

Alternately, we've implemented a credential helper of our own which solves the problem for our customers (i.e. doesn't get tripped up by the lack of a scheme in the GCR URLs that the Docker client uses to request credentials). To install the credential helper:

  • Download the helper binary and put it on your PATH
  • Execute docker-credential-gcr configure-docker to configure to the Docker client
jsand
  • 595
  • 4
  • 8
  • 1
    Thanks so much for your help! I'm very impressed by the support I received from Google on this issue (even though it wasn't really your issue). – Dale Alleshouse Sep 01 '16 at 22:52
  • We aim to please! – jsand Sep 02 '16 at 18:15
  • 1
    OMG! why didn't i see this earlier.. spent 3 days trying to upload an docker image to my google container registry with no success. Thanks a lot! – Tianhai Sep 18 '16 at 05:40
  • it's entirely unclear to me if I should be able to push up a docker image from my office laptop into GCR. i've seen some people advise running this whole process from a google server (ec2 instance basically). – Randy L Oct 12 '16 at 21:39
  • You should be able to push to GCR from anywhere that you can run Docker. – jsand Oct 13 '16 at 22:03
  • Using docker-credential-gcr for solving this particular issue is not required anymore is this correct ? Probably most people having authentication issues have (like me :) forgotten to allow both `container engine admin` AND `cloud storage admin` for the service account – Overdrivr Apr 25 '17 at 06:36
  • I can't find the `container engine admin` role. In fact there's no `container engine` section in the roles. It works if I set the service account role to `Project -> Editor`, which is less than ideal. So it works without docker-credential-gcr, but I can't find the proper roles. – RedShift Dec 30 '17 at 18:23
  • 1
    @RedShift looks like it was moved under the `Kubernetes Engine` category during the rename. If you just want to pull (and/or push) images to GCR, `Storage Object Viewer` (or `Storage Admin`) is all you need: https://cloud.google.com/container-registry/docs/access-control – jsand Jan 02 '18 at 02:13
  • 1
    Confirmed that Storage Admin suffices to pull and push images. – RedShift Jan 02 '18 at 13:50
2

Have you run gcloud auth login?

Lizhu Qi
  • 197
  • 1
  • 5
1

This sounds like gcloud might not know which project to associate you as.

You can run

gcloud info

to verify which project gcloud is using.

If it doesn't list the project that you are pushing the image under, you can specify it with the --project flag like

gcloud --project= docker push ...

To set the default project for gcloud, you can run

gcloud config set project

k4leung4
  • 261
  • 2
  • 3
1

I had this same problem, nothing solved it until I completely removed the folders listed under gcloud info (the install and config directories) then reinstalled the sdk.

Then ran gcloud components install docker-credential-gcr and set that back up. Everything worked.

zackify
  • 5,314
  • 2
  • 22
  • 28
0

Just to give an updated answer: I wanted to push to eu.gcr.io. Therefore, I need to authenticate to that registry (took me a while to figure that out).

So first:

docker login -e 1234@5678.com -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://eu.gcr.io

Second:

 gcloud docker -- push eu.gcr.io/myProjectName/myComputeMachineName

Using cygwin on windows 10 pro (on Hyper-V) and these versions:

$ gcloud --version
Google Cloud SDK 148.0.0
bq 2.0.24
bq-nix 2.0.24
core 2017.03.17
core-nix 2017.02.28
gcloud
gcloud-deps 2017.02.28
gcloud-deps-linux-x86_64 2017.02.28
gsutil 4.23
gsutil-nix 4.22

and

$ docker --version
Docker version 17.03.1-ce-rc1, build 3476dbf
Dr. Max Völkel
  • 1,780
  • 2
  • 17
  • 24
0

I had the same problem while trying to use GCP on a personal projet :

A look at the activity tab in GCP console showed me that I was trying to push with my professional email address (not allowed on the project) even if I just logged in with my personal one using : 

gcloud auth login

The reason was that I also ran a few months ago this command :

gcloud auth application-default login

with my professional email address.

I just had to run it again, log in with my personal address and everything worked fine !

Err0r500
  • 25
  • 3