Can't push image to google container registry

2020-08-17 17:18发布

站内问答 / Docker
2094 10 5

I am working on a bitbucket pipeline for pushing image to gc container registry. I have created a service account with Storage Admin role. (bitbucket-authorization@mgcp-xxxx.iam.gserviceaccount.com)

enter image description here

gcloud auth activate-service-account --key-file key.json
gcloud config set project mgcp-xxxx
gcloud auth configure-docker --quiet
docker push eu.gcr.io/mgcp-xxxx/image-name

Although that the login is successful, i get: Token exchange failed for project 'mgcp-xxxx'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

Can anyone advice on what i am missing?

Thanks!

10条回答
乱世女痞
2楼-- · 2020-08-17 17:47

These are step-by step commands which got me to push first container to a GCE private repo:

export PROJECT=pacific-shelter-218
export KEY_NAME=key-name1
export KEY_DISPLAY_NAME='My Key Name'

sudo gcloud iam service-accounts create ${KEY_NAME} --display-name ${KEY_DISPLAY_NAME}
sudo gcloud iam service-accounts list
sudo gcloud iam service-accounts keys create --iam-account ${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com key.json
sudo gcloud projects add-iam-policy-binding ${PROJECT} --member serviceAccount:${KEY_NAME}@${PROJECT}.iam.gserviceaccount.com --role roles/storage.admin
sudo docker login -u _json_key -p "$(cat key.json)" https://gcr.io
sudo docker push  gcr.io/pacific-shelter-218/mypcontainer:v2
查看更多
0人赞 添加讨论(0) 举报
Evening l夕情丶
3楼-- · 2020-08-17 17:48

GCR just uses GCS to store images check the permissions on your artifacts. folder in GCS within the same project.

查看更多
0人赞 添加讨论(0) 举报
神经病院院长
4楼-- · 2020-08-17 17:56

For anyone reading all the way here. The other suggestions here did not help me, however I found that the Cloud Service Build Account role was also required. Then the storage.buckets.get dissappears.

This is my minimal role (2) setup to push docker images: auomationroles

The Cloud Service Build Account role however adds many more permissions that simply storage.buckets.get. The exact permissions can be found here.

note: I am well aware the Cloud Service Build Account role also adds the storage.objects.get permission. However, adding roles/storage.objectViewerdid not resolve my problem. Regardless of the fact it had the storage.objects.get permission.

If the above does not work you might have the wrong account active. This can be resolved with: 

gcloud auth activate-service-account --key-file key.json

If that does not work you might need to set the docker credential helpers with: 

gcloud auth configure-docker --project <project_name>

On one final note. There seemed to be some delay between setting a role and it working via the gcloud tool. This was however minimal, think of a scope less than a minute.

Cheers

查看更多
0人赞 添加讨论(0) 举报
Lonely孤独者°
5楼-- · 2020-08-17 17:56

Tried several things, but it seems you have to run gcloud auth configure-docker

查看更多
0人赞 添加讨论(0) 举报
迷人小祖宗
6楼-- · 2020-08-17 17:59

add service account role

on google cloud IAM

Editor Storage object Admin Storage object Viewer

fix for me

查看更多
0人赞 添加讨论(0) 举报
霸刀☆藐视天下
7楼-- · 2020-08-17 18:01

You need to be logged into your account and set the project to the project you'd like. There is a good chance you're just not logged in.

gcloud auth login

gcloud config set project <PROJECT_ID_HERE>

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)