"Requester pays" artifact buckets result in UserProjectMissing error code

[dinvlad]

Hi Team,

We're exploring whether GCR could be used with "requester pays" artifact buckets, so that users in other projects could pull from our public GCR repos, but pay for the requests and network charges.

To this end, we've enabled "requester pays" option on one of our artifact buckets (e.g. us.artifacts.<project-id>.appspot.com), and tried to pull from it to another project after authenticating with GCR:

$ docker-credential-gcr configure-docker
/home/<user>/.docker/config.json configured to use this credential helper for GCR registries

$ docker pull us.gcr.io/<project-id>/<image>:<tag>
<tag>: Pulling from <project-id>/<image>
f2b6b4884fc8: Pulling fs layer
...
error pulling image configuration: error parsing HTTP 400 response body: invalid character '<' looking for beginning of value: "<?xml version='1.0' encoding='UTF-8'?><Error><Code>UserProjectMissing</Code><Message>Bucket is a requester pays bucket but no user project provided.</Message></Error>"

This is the same error as when we try to run gsutil without -u option on that bucket. It seems like docker-credential-gcr could enable a similar option here - are there any plans or technical limitations on doing that?

EDIT: For an example implementation of it with Docker credential helper protocol, the project ID could be specified through

"Username": "oauthaccesstoken@project_id"

Then, if no @project_id is specified, GCR would use the regular bucket access mechanism.

Thank you!

[dekkagaijin]

GCR's most requested features can't naturally be implemented on top of GCS. For that reason, GCR most likely will not be expanding our feature parity with it.

(Sorry, this is deliberately vague to avoid commenting on our roadmap, but it can be assumed that we won't be expanding our reliance on GCS)