1

I'm seeing a permissions bug when using docker push as described in the Google Artifact Registry Quickstart. As noted in that question, the problem seems to come down to missing scopes on the access token. In my local shell, the scopes are these (as indicated by https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<token>):

openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/accounts.reauth

When I run the same sequence of steps in Cloud Shell, I have many more scopes on the access token:

https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/bigquery https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/devstorage.read_only https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/ndev.cloudman https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/sqlservice.admin https://www.googleapis.com/auth/prediction https://www.googleapis.com/auth/projecthosting https://www.googleapis.com/auth/source.full_control https://www.googleapis.com/auth/source.read_only https://www.googleapis.com/auth/source.read_write openid"

I'm not able to pinpoint what differences between my Cloud Shell configuration and my local one might cause this difference in scopes. These commands all have the same output on both:

$ gcloud auth list
Credentialed Accounts

ACTIVE: *
ACCOUNT: <my email address>

$ cat ~/.docker/config.json
{
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud",
    "us-central1-docker.pkg.dev": "gcloud"
  }
}

gcloud config list shows these differences:

// in Cloud Shell
[accessibility]
screen_reader = True
[component_manager]
disable_update_check = True
[compute]
gce_metadata_read_timeout_sec = 30
[core]
account = <my email address>
disable_usage_reporting = True
project = <my project>
[metrics]
environment = devshell

// on my local machine
[core]
account = <my email address>
disable_usage_reporting = True
pass_credentials_to_gsutil = false
project = <my project>

Questions:

  1. What are scopes here anyway? What is their relationship to the roles assigned to the project principal (example@stackoverflow.com)?
  2. What could be causing my scopes to differ in Cloud Shell vs on my local machine? How do I fix it so I can correctly access the Artifact Registry locally?

EDIT:

To clarify, here are the commands I'm running and the error I'm seeing, which exactly duplicates the SO question referenced above. Commands are taken directly from the [Artifact Registry Quickstart] (https://cloud.google.com/artifact-registry/docs/docker/quickstart#gcloud). This question was intended to be about scopes, but seems like those may not be my issue.

$ gcloud auth configure-docker us-central1-docker.pkg.dev
WARNING: Your config file at [~/.docker/config.json] contains these credential helper entries:

{
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud",
    "us-central1-docker.pkg.dev": "gcloud"
  }
}
Adding credentials for: us-central1-docker.pkg.dev
gcloud credential helpers already registered correctly.


$ sudo docker tag us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 \
us-central1-docker.pkg.dev/<my project>/quickstart-docker-repo/quickstart-image:tag1

$ sudo docker push us-central1-docker.pkg.dev/<my project>/quickstart-docker-repo/quickstart-image:tag1              
The push refers to repository [us-central1-docker.pkg.dev/<my project>/quickstart-docker-repo/quickstart-image]
260c3e3f1e70: Preparing 
e2eb06d8af82: Preparing 
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/qwanto/locations/us-central1/repositories/quickstart-docker-repo" (or it may not exist)
Sasgorilla
  • 2,403
  • 2
  • 29
  • 56

2 Answers2

3

What are scopes here anyway? What is their relationship to the roles assigned to the project principal (example@stackoverflow.com)?

In Google Cloud, permissions for an identity are determined by Google Cloud IAM roles. This is an important point to understand.

OAuth Scopes are using when requesting authorization. Scopes can limit permissions granted to a subset of the permissions granted by an IAM role. Scopes cannot grant permissions that exceed or are not included by an IAM role.

Think of the resulting permissions being the intersection of IAM Roles and OAuth Scopes.

Note: You have the scope https://www.googleapis.com/auth/cloud-platform which is sufficient. The other scopes are just extras. Ignore scopes and make sure your IAM roles are correct.

What could be causing my scopes to differ in Cloud Shell vs on my local machine? How do I fix it so I can correctly access the Artifact Registry locally?

You are chasing the wrong details (scopes) in solving your problem. Provided that you have the correct IAM roles granted to your identity, you can push to Container Registry and Artifact Registry.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thank you @John Hanley -- to clarify, I think you mean the resulting permissions are the intersection (not union) of Oauth scopes and IAM roles? That makes sense. Unfortunately it doesn't resolve my specific issue as I definitely have the `artifactregistry.repositories.downloadArtifacts` permission through several different IAM roles on my principal (`Owner` and `Artifact Registry Administrator`, to start). (Presumably that's why the push succeeds in Cloud Shell.) – Sasgorilla Sep 17 '21 at 20:43
  • Thank you for the **union** word error. The scope **cloud-platform** grants all permissions that are granted by the IAM roles granted to the identity. This means if you have the role **Owner** you have the permission to push to GCR/GAR (artifactregistry.repositories.uploadArtifacts). Provided you are using the correct identity, then your problem is not with roles/permissions or scopes. Note: that only partially applies to Compute Engine, as there is another layer of **scope** access control on Compute Engine VMs. – John Hanley Sep 17 '21 at 21:45
  • @Sasgorilla Several items that are missing from your question: 1) Show the command that you are using for authorization setup for pushing images. 2) What is the push command and the error message. – John Hanley Sep 17 '21 at 21:47
  • I didn't want to duplicate the [permissions bug question](https://stackoverflow.com/questions/64141411/google-cloud-container-registry-artifact-registry-permissions) which already captures my error, but what the heck. I edited the question to include those details. Also note that (as in the original question) the error message definitely refers to `downloadArtifacts`, even though I'm uploading ... puzzling. – Sasgorilla Sep 18 '21 at 18:13
  • @Sasgorilla You do not have permission to download from projects/qwanto/locations/us-central1/repositories/quickstart-docker-repo – John Hanley Sep 18 '21 at 19:06
0

Presumably running in the same issue, I've found the solution somewhat hidden in the docs (at the end of the linked section):

Note: If you normally run Docker commands on Linux with sudo, Docker looks for Artifact Registry credentials in /root/.docker/config.json instead of $HOME/.docker/config.json. If you want to use sudo with docker commands instead of using the Docker security group, configure credentials with sudo gcloud auth configure-docker instead.

So basically, the quick-start works only if you don't use sudo for running docker.

mc51
  • 1,883
  • 14
  • 28