0

While trying to push a docker image on Google Cloud Registry using Google cloud cli, i am getting an error :

denied: Token exchange failed for project . Access denied.

I have followed the below steps :

  1. Installed Google cloud sdk shell
  2. Downloaded a key json file for my IM account
  3. Set authentication using following command :

google-cloud-sdk/bin/gcloud auth activate-service-account --key-file <path_to_json_file>

  1. Executed below command for login:

docker login -u _json_key --password-stdin https://asia.gcr.io < path_to_json_file

  1. Built and tagged a docker image.

  2. Tried pushing an image to GCR using following command :

docker push "asia.gcr.io/$GCLOUD_PROJECT_ID/$IMAGE_NAME:latest"

I am getting result as follows: 

The push refers to repository [asia.gcr.io/<my_project_id>/<my_image_name>]
1bd77e11e1bf: Preparing
b57c79f4a9f3: Preparing
d60e01b37e74: Preparing
e45cfbc98a50: Preparing
762d8e1a6054: Preparing

denied: Token exchange failed for project <my_project_id>. Access denied.

Note : 1. My GCR API is already enabled.

  1. Docker version I am using is 'Docker version 18.09.2, build 6247962'

  2. I am using windows machine where Google cloud CLI is installed. So all the operations are being performed from Widows only.

  3. Same thing I have tried on Gitlab image 'Docker:latest' in my Gitlab pipeline. Error is same at both places (My local Windows machine and Gitlab Pipeline)

Rushikesh Mandage
  • 21
  • 1
  • 1
  • 4
  • Are you sure your user can push to your project's Google Container Registry? What roles do you have on your project? You should have role `roles/storage.admin` to be able to push in GCR (check the docs here : https://cloud.google.com/container-registry/docs/access-control). – norbjd Mar 23 '19 at 16:50
  • HI @norbjd, I don't have storage bucket created. As per the docs, I should push an image first , then only I will be having a bucket. Otherwise IAM user I have created has storage.admin role. Still I am unable to push an image – Rushikesh Mandage Mar 23 '19 at 17:26
  • Creating buckets does not matter actually :) it's just that GCR use Google Cloud Storage internally to store images, so to be able to push images, accounts must have `roles/storage.admin` role. But I understand your confusion. Anyway, if your user have that role, the problem should come from somewhere else. Can you try to push an image from Cloud Shell with your user to check if it's not related to your local environment? – norbjd Mar 23 '19 at 17:44

0 Answers0