18

I try to push my docker container to the google container registry, using this tutorial, but when I run

gcloud docker push b.gcr.io/my-bucket/image-name

I get the error :

The push refers to a repository [b.gcr.io/my-bucket/my-image] (len: 1)
Sending image list
Error: Status 403 trying to push repository my-bucket/my-image: "Access denied."

I couldn't find any more explanation (no -D, --debug, --verbose arguments were recognized), gcloud auth list and docker info tell me I'm connected to both services.

Anything I'm missing ?

hilnius
  • 2,165
  • 2
  • 19
  • 30

10 Answers10

11

You need to make sure the VM instance has enough access rights. You can set these at the time of creating the instance, or if you have already created the instance, you can also edit it (but first, you'll need to stop the instance). There are two ways to manage this access:

Option 1

Under the Identity and API access, select Allow full access to all Cloud APIs.

enter image description here

Option 2 (recommended)

Under the Identity and API access, select Set access for each API and then choose Read Write for Storage.

enter image description here

Note that you can also change these settings even after you have already created the instance. To do this, you'll first need to stop the instance, and then edit the configuration as mentioned above.

The Student Soul
  • 2,272
  • 2
  • 14
  • 12
Yuchen
  • 30,852
  • 26
  • 164
  • 234
4

Use gsutil to check the ACL to make sure you have permission to write to the bucket:

$ gsutil acl get gs://<my-bucket>

You'll need to check which group the account you are using is in ('owners', 'editors', 'viewers' etc.)

EDIT: I have experienced a very similar problem to this myself recently and, as @lampis mentions in his post, it's because the correct permission scopes were not set when I created the VM I was trying to push the image from. Unfortunately there's currently no way of changing the scopes once a VM has been created, so you have to delete the VM (making sure the disks are set to auto-delete!) and recreate the VM with the correct scopes ('compute-rw', 'storage-rw' seems sufficient). It doesn't take long though ;-).

See the --scopes section here: https://cloud.google.com/sdk/gcloud/reference/compute/instances/create

Richard Corfield
  • 2,489
  • 3
  • 21
  • 24
  • that's the problem : i'm in the owners group and the owners group members have owners rights on this bucket. Still access denied – hilnius Jul 08 '15 at 16:36
  • And when you run `gcloud auth list`, the owner that you refer to definitely has `(active)` listed against it? – Richard Corfield Jul 08 '15 at 21:13
  • Sorry for the delay, SO isn't sending me notifications. Are you using Docker 1.7.0? Docker made a breaking change in 1.7.0 to how they do authentication, but you should try a `gcloud components update`. We updated the docs to include this too: https://cloud.google.com/tools/container-registry/#access_denied – mattmoor Jul 22 '15 at 15:05
  • I ran into ACL issues, defining the SA user on the bucket ACL's fixed it. – sunshinekitty Mar 11 '17 at 07:29
4

I am seeing this but on an intermittent basis. e.g. I may get the error denied: Permission denied for "latest" from request "/v2/...."., but when trying again it will work.

Is anyone else experiencing this?

Sam Kenny
  • 395
  • 4
  • 9
3

For me I forgot to prepend gcloud in the line (and I was wondering how docker would authenticate):

$ gcloud docker push <image>
Wernight
  • 36,122
  • 25
  • 118
  • 131
2

In your terminal, run the code below 

$ sudo docker login -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://[HOSTNAME]

Where -[HOSTNAME] is your container registry location (it is either gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io). Check your tagged images to be sure by running $ sudo docker images).

If this doesn't fix it, try reviewing the VM's access scopes.

Mekky_Mayata
  • 197
  • 2
  • 11
1

If you are using Docker 1.7.0, there was a breaking change to how they handle authentication, which affects users who are using a mix of gcloud docker and docker login.

Be sure you are using the latest version of gcloud via: gcloud components update.

So far this seems to affect gcloud docker, docker-compose and other tools that were reading/writing the Docker auth file.

Hopefully this helps.

mattmoor
  • 1,677
  • 14
  • 9
  • 1
    Depending on the OS you need to set the user rights accordingly. That means, if you're using `gcloud` without `sudo`, you need to make sure that you can also use the `docker` command without `sodo`. See [here](http://askubuntu.com/a/477554) for more info in case you're using ubuntu. – Randy Nov 09 '16 at 08:50
1

Same problem here, the troubleshooting section from https://cloud.google.com/tools/container-registry/#access_denied wasn't very helpful. I have Docker and GCloud full updated. Don't know what else to do.

BTW, I'm trying to push to "gcr.io".

Fixed. I was using a VM in compute engine as my development machine, and looks like I didn't give it enough rigths in Storage.

lampis
  • 41
  • 3
0

I had the same problem with access denied and I resolved it with creating new image using Tag:

docker tag IMAGE_WITH_ACCESS_DENIED gcr.io/my-project/my-new-image:test

After that I could PUSH It to Container registry:

gcloud docker -- push gcr.io/my-project/my-new-image:test
Majico
  • 3,810
  • 2
  • 24
  • 36
0

Today I also got this error inside Jenkins running on Google Kubernetes Engine when pushing the docker container. The reason was a node pool node version upgrade from 1.9.6-gke.1 to 1.9.7-gke.0 in gcp I did before. Worked again after the downgrade.

Techradar
  • 3,506
  • 3
  • 18
  • 28
0

You need to login to gcloud from the machine you are: 

gcloud auth login
Esthon Medeiros
  • 79
  • 1
  • 2
  • 4