Google Container Registry access denied when pushi

2019-01-26 10:33发布

问题:

I try to push my docker container to the google container registry, using this tutorial, but when I run

gcloud docker push b.gcr.io/my-bucket/image-name

I get the error :

The push refers to a repository [b.gcr.io/my-bucket/my-image] (len: 1)
Sending image list
Error: Status 403 trying to push repository my-bucket/my-image: "Access denied."

I couldn't find any more explanation (no -D, --debug, --verbose arguments were recognized), gcloud auth list and docker info tell me I'm connected to both services.

Anything I'm missing ?

回答1:

When you create you Google Cloud VM instance, make sure it has the enough accessing right.

Option 1

Under the Identity and API access, select Allow full access to all Cloud APIs.

Option 2 (recommended)

Under the Identity and API access, select Set access for each API and then choose Read Write for Storage.



回答2:

For me I forgot to prepend gcloud in the line (and I was wondering how docker would authenticate):

$ gcloud docker push <image>


回答3:

Use gsutil to check the ACL to make sure you have permission to write to the bucket:

$ gsutil acl get gs://<my-bucket>

You'll need to check which group the account you are using is in ('owners', 'editors', 'viewers' etc.)

EDIT: I have experienced a very similar problem to this myself recently and, as @lampis mentions in his post, it's because the correct permission scopes were not set when I created the VM I was trying to push the image from. Unfortunately there's currently no way of changing the scopes once a VM has been created, so you have to delete the VM (making sure the disks are set to auto-delete!) and recreate the VM with the correct scopes ('compute-rw', 'storage-rw' seems sufficient). It doesn't take long though ;-).

See the --scopes section here: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create



回答4:

I am seeing this but on an intermittent basis. e.g. I may get the error denied: Permission denied for "latest" from request "/v2/...."., but when trying again it will work.

Is anyone else experiencing this?



回答5:

I had the same problem with access denied and I resolved it with creating new image using Tag:

docker tag IMAGE_WITH_ACCESS_DENIED gcr.io/my-project/my-new-image:test

After that I could PUSH It to Container registry:

gcloud docker -- push gcr.io/my-project/my-new-image:test


回答6:

If you are using Docker 1.7.0, there was a breaking change to how they handle authentication, which affects users who are using a mix of gcloud docker and docker login.

Be sure you are using the latest version of gcloud via: gcloud components update.

So far this seems to affect gcloud docker, docker-compose and other tools that were reading/writing the Docker auth file.

Hopefully this helps.



回答7:

Same problem here, the troubleshooting section from https://cloud.google.com/tools/container-registry/#access_denied wasn't very helpful. I have Docker and GCloud full updated. Don't know what else to do.

BTW, I'm trying to push to "gcr.io".

Fixed. I was using a VM in compute engine as my development machine, and looks like I didn't give it enough rigths in Storage.



回答8:

You need to login to gcloud from the machine you are:

gcloud auth login


回答9:

Today I also got this error inside Jenkins running on Google Kubernetes Engine when pushing the docker container. The reason was a node pool node version upgrade from 1.9.6-gke.1 to 1.9.7-gke.0 in gcp I did before. Worked again after the downgrade.