10

I'm having a permission issues when pushing my image to Container Registry. The error I'm getting is

denied: Token exchange failed for project '<my project>'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I followed the instructions step by step, here's what I've done:

  1. gcloud auth configure-docker

My docker config.json now contains:

{
  "auths": {},
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud"
  },
  "credsStore": "wincred",
  "HttpHeaders": {
    "User-Agent": "Docker-Client/18.09.0 (windows)"
  },
  "stackOrchestrator": "swarm"
}

  1. Tagged my image docker tag my/image eu.gcr.io/<my project>/my-image:latest

  2. Run docker push eu.gcr.io/<my project>/my-image:latest (error follows)

Here's my setup

  • Windows 10 (10.0.17134 Build 17134)
  • Docker version 18.09.0, build 4d60db4
  • Google Cloud SDK 232.0.0, bq 2.0.40, core 2019.01.27, gsutil 4.35

I have checked that my active account is correct (gcloud auth login points to the correct login email) and the account has Owner permissions. I have also tried by specifically adding Storage Admin permissions to the account, but to no avail.

Please help me push my image!

David
  • 3,075
  • 3
  • 26
  • 36
  • Hmmm :-( Has this ever worked for you? I'm unsure why this isn't working as you appear to be following the correct process. I've never used this from Windows and wonder when `config.json` is misconfigured. Using this account are you able to create GCS buckets? (`gsutil mb -p gs://`). Are you able to push after an explicit docker login? (https://cloud.google.com/container-registry/docs/advanced-authentication#access_token) – DazWilkin Feb 02 '19 at 21:35
  • I can create new bucket using the `gsutils mb` command, yes. But you just pointed me in an interesting direction. I manage two Google Cloud accounts. And although I am logged in using account 1 and can create buckets under that account, I just successfully pushed my image (after tagging it with the corresponding project name) to the Container Registry under the other account. I was assuming that switching account using `gcloud auth login` will take care of everything but that doesn't seem to be the case. Can you (or someone else) help me understand how to correct this? – David Feb 02 '19 at 22:39
  • You may be logged in using multiple Google accounts. To list credentialed accounts use `gcloud auth list`. This will indicate the currently selected account with an asterisk. To swtich between credentialed accounts use `gcloud config set account `. – DazWilkin Feb 03 '19 at 00:05
  • `gcloud auth list` shows both accounts and the asterisk points to the correct one. I'm puzzled why I'm able to docker push to an account that is not selected. – David Feb 03 '19 at 00:37
  • Your configuration is not clear to me. You don't push to accounts but to buckets in projects that are governed by accounts. It may be helpful for you to work backwards from the working scenario to see what's going wrong. – DazWilkin Feb 03 '19 at 00:47

2 Answers2

12

A potential cause is that the active gcloud PROJECT_ID does not match the registry you are pushing to. 

gcloud config set project <PROJECT_ID>
gcloud builds submit --tag gcr.io/<PROJECT_ID>/foo

Ensure the PROJECT_ID matches or provide access in IAM if the projects are in fact different.

JeffD23
  • 8,318
  • 2
  • 32
  • 41
5

Try passing the project flag, --project=<<PROJECT-ID>>, to your command. If you are managing multiple projects gcloud might cache the wrong permissions.

redryk
  • 51
  • 2