0

I'm using Standalone Docker credential helper authentication option to push docker images in GCR. Ran following command locally which created config.json file at following path - C:\Users\sunny.goel.docker

***docker-credential-gcr configure-docker***

Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?

***echo "https://us.gcr.io" | docker-credential-gcr get***

Moreover, where can we find the caller information to assign the required roles (storage admin)? I do see a number of service accounts but am not sure which one is used to create storage buckets?

alp
  • 642
  • 5
  • 13
Sunny Goel
  • 115
  • 2
  • 9
  • It seems at the "config.json" file, we see "token" and when we run "$echo "https://us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role. – Rahi Jan 03 '19 at 00:22

1 Answers1

1

Have you ran docker-credential-gcr gcr-login? If you have done so, it should use your account to access the storage. If not, do you have gcloud installed and logged in?

Once credential helper is set in your config.json, you should see something like: "credHelpers": { "us.gcr.io": "gcr", "gcr.io": "gcr", ... }

If you have that, then docker would ignore auths attribute.

shou3301
  • 204
  • 2
  • 11
  • Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case? – Sunny Goel Dec 28 '18 at 19:34
  • Moreover, what's the purpose of auths attribute then ? – Sunny Goel Dec 28 '18 at 19:36
  • What do you mean by running `docker-credential-gcr gcr-login` as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM. – shou3301 Jan 02 '19 at 19:49
  • You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR. – Sunny Goel Jan 03 '19 at 20:12