K
Q

What's causing authentication error when pushing Docker image to Google Container Registry?

11/1/2016

I am trying to push a Docker image to Google Container Registry from a CircleCI build, as per their instructions. However, pushing to GCR fails due to an apparent authentication error:

Using 'push eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test' for DOCKER_ARGS.
The push refers to a repository [eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test] (len: 1)

Post https://eu.gcr.io/v2/realtimemusic-147914/realtimemusic-test/realtimemusic-test/blobs/uploads/: token auth attempt for registry: https://eu.gcr.io/v2/token?account=oauth2accesstoken&scope=repository%3Arealtimemusic-147914%2Frealtimemusic-test%2Frealtimemusic-test%3Apush%2Cpull&service=eu.gcr.io request failed with status: 403 Forbidden

I've prior to pushing the Docker image authenticated the service account against Google Cloud:

echo $GCLOUD_KEY | base64 --decode > ${HOME}/client-secret.json
gcloud auth activate-service-account --key-file ${HOME}/client-secret.json
gcloud config set project $GCLOUD_PROJECT_ID

Then I build the image and push it to GCR:

docker build -t $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test -f docker/test/Dockerfile .
gcloud docker push -- $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test

What am I doing wrong here?

-- aknuds1
circleci
docker
google-container-registry
google-kubernetes-engine

Similar Questions

Access specific kubernetes pod from external
Kubernetes deployments: Editing the 'spec' of a pod's YAML file fails
Kubernetes Pods vs Deployments in Google Cloud
Stackdriver JVM monitoring in Google Container Engine (Kubernetes)

4 Answers

11/4/2016

The service account requires permission to write to the Cloud Storage bucket containing the container registry. Granting the service account either the project editor role or write access to the bucket (via ACL) solves the issue. The latter should be preferable since the account doesn't receive wider permissions than it needs.

-- aknuds1
Source: StackOverflow
9/19/2018

If you are pushing docker image using google cloud sdk. You can use temporary authorization with the following command:

  gcloud docker --authorize-only

The above command gives you a temporary authorization for pushing and pulling images using docker. You can refer this link for details Gcloud docker. Hope it helps to solve your issue.

-- Vignesh
Source: StackOverflow
12/28/2018

After many retries... I solved using access token:

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://[HOSTNAME]
-- Matteo Tosato
Source: StackOverflow
11/1/2016

Have you tried using the _json_key method for authenticating with Docker? https://cloud.google.com/container-registry/docs/advanced-authentication

After that, please use naked 'docker' (without 'gcloud').

-- jsand
Source: StackOverflow