Permission artifactregistry.repositories.uploadArtifacts denied on resource using github actions

Question

I am trying to push docker container to Artifact Registry on GCP but I got an error on step Push Docker Image to Artifact Registry

denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/PROJECT_ID/locations/asia-south1/repositories/images" (or it may not exist) Error: Process completed with exit code 1.

name: Build image and push to Artifact Registry of GCP
on: 
  push:
    branches: 
      - master
 
jobs:
  build-push-artifact:
    name : Build and push Artifact Registry
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.ACCOUNT_KEY }}'

    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'

    - name: 'Use gcloud CLI'
      run: 'gcloud info'

    - name: build Docker Image
      run: docker build -t MY_IMAGE:latest .
    
    - name: Configure Docker Client of Gcloud
      run:  |-
        gcloud auth configure-docker --quiet
        gcloud auth configure-docker asia-south1-docker.pkg.dev --quiet
    
    - name: Push Docker Image to Artifact Registry 
      env:
        GIT_TAG: v0.1.0
      run:  |-
        docker tag MY_IMAGE:latest asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:latest
        docker tag MY_IMAGE:latest asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:$GIT_TAG
        docker push asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:latest
        docker push asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:$GIT_TAG

I also added the Artifact Registry Write principal to repository with service email.Every other step execute successfully except last one. How can I fix it?

`Nikhil Kumar` there are two possibilities for this one you might have not provided sufficient permissions but that’s not true in this case so ruling it out the second case is that the details you are passing in the pipelines might not be correct for example some human errors while entering project ID and image name, from the pipeline code I can see that you are passing these details through variables so if that’s the case you should be using $ symbol before the variable for it’s value to get reflected in the pipeline. Example: projectid = 1234 you should be using $projectid in the link — Kranthiveer Dontineni, Mar 26 '23 at 10:33
@KranthiveerDontineni PROJECT_ID , MY_IMAGE and others are only for demonstration purpose. I also try with hardcoded value but its not working. can you please explain the first possibility I mean which permission require in this situation. — Nikhil kumar, Mar 28 '23 at 08:12
I try Container registry instead of Artifact registry by changing last step with :`docker tag MY_IMAGE:latest gcr.io/PROJECT_ID/MY_IMAGE:latest` `docker tag MY_IMAGE:latest gcr.io/PROJECT_ID/MY_IMAGE:$GIT_TAG` `docker push gcr.io/PROJECT_ID/MY_IMAGE:latest` `docker push gcr.io/PROJECT_ID/MY_IMAGE:$GIT_TAG` and it worked — Nikhil kumar, Mar 28 '23 at 08:25
Verify the URL that you used in image tag is correct. This error is misleading as one first think it's related to permissions but probably is because of a bad repository URL. I was getting this error while using Cloud Build, but default permissions allow uploading images to Artifacts Registry. Turns out that I was using "id" attribute from "data.google_project" Terraform, but this returns "projects/PROJECT_ID" instead of "PROJECT_ID", so, I was bad rendering "$REGION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY_ID" into "$REGION-docker.pkg.dev/projects/$PROJECT_ID/$REPOSITORY_ID". Hope this helps. — Hector Torres, Apr 13 '23 at 15:53

score 29 · Answer 1 · answered Apr 22 '23 at 09:49

29

Ok, I spent a lot of time on this now and there are two possible solutions:

Log into gcloud: gcloud auth login
Configure docker: gcloud auth configure-docker europe-west1-docker.pkg.dev (make sure to specify appropriate region)

The second one did it for me.

answered Apr 22 '23 at 09:49

Roman Dmitrienko

3,375
3
37
48

2

Wow can't believe I was just not logged in! – Elias Yishak Jun 02 '23 at 20:19
1

Great answer. However I needed to use the "europe" region to push to Artifact Registry and that confused me a bit. In case anybody else get the same issue the error was `denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects//locations/europe/repositories/eu.gcr.io"` And I fixed it with: `gcloud auth configure-docker europe-docker.pkg.dev` – Graunephar Jun 20 '23 at 13:45
FYI, this is documented at https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling#auth – william_grisaitis Jun 26 '23 at 01:29
Sorry, but where is this mentioned that you should or have to use 'europe' region in the above document, 'europe' is used just as an example. – kwick Jun 26 '23 at 09:12
Neither of these did it for me. It's still saying denied on docker push and I'm a project owner and gcloud auth list shows it's using my account. – Nathan McKaskle Aug 24 '23 at 15:07

score 2 · Answer 2 · answered Jun 26 '23 at 11:58

If above solution by Roman didn't solve the issue, you should check the Roles assigned to the user through which you are trying to push the images to registry.

IAM Policy Troubleshooter can help in this, for example you can provide your User Email as Principal, Resource you wanna access (in this case the Registry), and the permission which is expected ('uploadArtifacts' in this case):

score 0 · Answer 3 · answered Jul 11 '23 at 12:02

One more error scenario and how I fixed this error:

If you had installed docker via snap (on Ubuntu), this version of docker looks for config file at a different path and will not take config file updated by gcloud auth configure-docker... step which updates the docker config file at ~/.docker/config.json.

In my case, I uninstalled the snap version and re-installed docker via the helper scripts given on Docker website. Alternatively you can copy the updated config to the location where the snap's docker is installed.

score 0 · Answer 4 · answered Sep 01 '23 at 11:24

Finally this worked for me. I was also facing above issue for Artifact registry.

So before executing docker push, I did authentication. This step is not exactly mentioned in docs but this worked for me.

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev

Note:- change your region.

Permission artifactregistry.repositories.uploadArtifacts denied on resource using github actions

4 Answers4