I'm trying to push containers to the Google Cloud Container Registry or the Google Cloud Artifact Registry on Windows 10 using the Google Cloud SDK. I'm getting a similar permissions error from both services however I can't seem to figure out why. For the Container Registry, on push I get:
> docker push us.gcr.io/{PROJECT}/{PATH}/{CONTAINER}:{TAG}
unauthorized: You don't have the needed permissions to perform this operation,
and you may have invalid credentials. To authenticate your request, follow the
steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
For the Artifact Registry, on push I get:
> docker push northamerica-northeast1-docker.pkg.dev/{PROJECT}/{REPOSITORY}/{CONTAINER}:{TAG}
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource
"projects/opallabs/locations/northamerica-northeast1/repositories/domar" (or it may not exist)
I've run gcloud init
and gcloud auth configure-docker
a few times. I can create and edit Google Cloud resources from the command line using gcloud
without any trouble. I'm the owner of the Google Cloud project but I've assigned myself Storage Admin, Artifact Registry Administrator, Artifact Registry Repository Administrator just to be safe. However, when I run gcloud auth print-access-token
and analyze the token with the https://www.googleapis.com/oauth2/v1/tokeninfo
endpoint, the only scopes that appear are:
{
...
"scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-
platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute
https://www.googleapis.com/auth/accounts.reauth",
...
}
Missing are the https://www.googleapis.com/auth/devstorage.read_write
or the https://www.googleapis.com/auth/devstorage.full_control
scopes which should probably be there according to the troubleshooting link, but I'm not sure why they would be missing. I had this working on my last Windows 10 machine by following the setup instructions, but the same setup on my new machine doesn't seem to be working.
My docker credential helper entries:
{
"credHelpers": {
"gcr.io": "gcloud",
"us.gcr.io": "gcloud",
"eu.gcr.io": "gcloud",
"asia.gcr.io": "gcloud",
"staging-k8s.gcr.io": "gcloud",
"marketplace.gcr.io": "gcloud",
"northamerica-northeast1-docker.pkg.dev": "gcloud",
"us-central1-docker.pkg.dev": "gcloud"
}
}
> docker-credential-gcloud list
{
"https://asia.gcr.io": "_dcgcloud_token",
"https://eu.gcr.io": "_dcgcloud_token",
"https://gcr.io": "_dcgcloud_token",
"https://marketplace.gcr.io": "_dcgcloud_token",
"https://staging-k8s.gcr.io": "_dcgcloud_token",
"https://us.gcr.io": "_dcgcloud_token"
}
gcloud -v
Google Cloud SDK 311.0.0
beta 2020.09.18
bq 2.0.60
core 2020.09.18
gsutil 4.53
docker -v
Docker version 19.03.13, build 4484c46d9d
Thanks to the link provided by Muss Rahman I've been able to authenticate by going to "Settings" -> "Command Line" in Docker Desktop and unchecking the "Enable cloud experience" switch. The setting seems to be absent from the docker manual so I'm not sure how it impacts the authentication, all I know is that for Docker version 19.03.13, build 4484c46d9d on Windows, if you want to authenticate using gcloud it needs to be disabled.