Pull private docker images from Google Container Registry w/o gcloud

Question

I'm using shippable to push private docker images to the Google Container Registry that I then want to pull from either locally on a laptop, or inside an instance on the Google Compute Engine.

I know that the command gcloud preview docker pull gcr.io/projectID/image-name works, but I can't rely on gcloud being installed on every machine that someone may need to pull the image from.

If I run docker-compose up -d on my machine then I get the following error:

Pulling image gcr.io/projectID/image-name...
Pulling repository gcr.io/projectID/image-name
Traceback (most recent call last):
  File "<string>", line 3, in <module>
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 31, in main
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 21, in sys_dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 27, in dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 24, in dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 59, in perform_command
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 464, in up
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.project", line 208, in up
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 214, in recreate_containers
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 199, in create_container
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 37, in stream_output
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 50, in print_output_event
compose.progress_stream.StreamOutputError: Error: Status 403 trying to pull repository projectID/image-name: "Access denied."

Is there any way to authenticate or access the image with some form of OAuth or keys? I want to avoid having to install gcloud on every machine that will ever need to pull the image, and the images have to remain private.

I have tried gcloud preview docker -a but that is not the solution I'm looking for.

Thank you in advance for any help.

Answer 1

If you want to work with the Google Container Registry on a machine not in the Google Compute Engine (i.e. local) using vanilla docker you can follow Google's instructions.

The two main methods are using an access token or a JSON key file.

Note that _token and _json_key are the actual values you provide for the username (-u)

Access Token

$ docker login -e [email protected] -u _token -p "$(gcloud auth print-access-token)" https://gcr.io

JSON Key File

$ docker login -e [email protected] -u _json_key -p "$(cat keyfile.json)" https://gcr.io

To create a key file you can follow these instructions:

1. Open the Credentials page.
2. To set up a new service account, do the following:
   • Click Add credentials > Service account.
   • Choose whether to download the service account's public/private key as a standard P12 file, or as a JSON file that can be loaded by a Google API client library.
   • Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely.

You can view Google's documentation on generating a key file here.

Answer 2

You can also do the following then also it would work.

cat service-account.json | docker login -u _json_key --password-stdin https://gcr.io