I am trying to push a docker image from my Google Cloud Compute Engine to the Artifact Registry. The hostname is still gcr.io but the Container Registry transition has been set to "Routed to Artifact Registry".
I build the docker image inside of my compute engine, and run
docker push gcr.io/$PROJECT_ID/$NAME:3.2.0
I encounter the following error:
unauthorized: authentication failed
Belows are a few steps I've already try:
- I set the
gcloud config set accountto the service account. - I've login via
gcloud auth application-default login - I've run
gcloud auth configure-docker gcr.ioand theconfig.jsonis properly generated
{
"auths": {},
"credHelpers": {
"asia.gcr.io": "gcr",
"eu.gcr.io": "gcr",
"gcr.io": "gcloud",
"marketplace.gcr.io": "gcr",
"us.gcr.io": "gcr"
}
}
- Under Artifact registry page, it shows my compute engine service account has the role of Artifact Registry Administrator
- I am able to pull image from repository, just cannot push.
I am trying to push a docker image from my Google Cloud Compute Engine to the Artifact Registry. The hostname is still gcr.io but the Container Registry transition has been set to "Routed to Artifact Registry".
I build the docker image inside of my compute engine, and run
docker push gcr.io/$PROJECT_ID/$NAME:3.2.0
I encounter the following error:
unauthorized: authentication failed
Belows are a few steps I've already try:
- I set the
gcloud config set accountto the service account. - I've login via
gcloud auth application-default login - I've run
gcloud auth configure-docker gcr.ioand theconfig.jsonis properly generated
{
"auths": {},
"credHelpers": {
"asia.gcr.io": "gcr",
"eu.gcr.io": "gcr",
"gcr.io": "gcloud",
"marketplace.gcr.io": "gcr",
"us.gcr.io": "gcr"
}
}
- Under Artifact registry page, it shows my compute engine service account has the role of Artifact Registry Administrator
- I am able to pull image from repository, just cannot push.
- Hi @Cheng Shi I have provided an answer below. Please check and let me know if the below suggestions were helpful – Sathi Aiswarya Commented Mar 19 at 13:41
- 1 I'm facing the same issue. I can pull but cannot push. None of the proposed steps work. I have tried giving all the permissions available to the compute service account. If I authenticate with my Gmail account on the other hand it works. – Fred Commented Mar 21 at 16:50
2 Answers
Reset to default 1I found the problem:
By default, when creating a VM, the Compute Service account doesn't have full write access to Cloud APIs, even if it has the relevant role/permissions.
To enable full access, you need to set Allow full access to all Cloud APIs under Security when creating the VM. Or if using the CLI to create the VM, by setting the --scope flag.
As suggested in this GitHub, try running the following command to configure docker config to use gcloud as a credentials helper. Check this document for more details:
gcloud auth configure-docker us-west1-docker.pkg.dev
Alternatively, you can use the access_token from auth directly, bypassing the need for gcloud as suggested in this thread1 and thread2
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev
Note:- Make sure to change the region accordingly.