search

GoogleCloudPlatform / docker-credential-gcr

A Docker credential helper for GCR users
https://gcr.io
Apache License 2.0
294 stars 92 forks source link

Unable to authenticate to private Container Registry after using docker-credential-gcr on Container-Optimized OS 65-10323.97.0 stable #51

Closed RsknCankov closed 6 years ago

RsknCankov commented 6 years ago

Hello, After execution of docker-credential-gcr configure-docker with output as follows: /home//.docker/config.json configured to use this credential helper for GCR registries.

When trying docker pull command (docker pull gcr.io/project/image) I get Error response from daemon: repository gcr.io/project/image not found: does not exist or no pull access

When I check the container registry image is ready and build.

Here is the content of config.json

{ "auths": {}, "credHelpers": { "asia.gcr.io": "gcr", "eu.gcr.io": "gcr", "gcr.io": "gcr", "staging-k8s.gcr.io": "gcr", "us.gcr.io": "gcr" } }

jonjohnsonjr commented 6 years ago

This sounds similar to this issue: https://stackoverflow.com/questions/51236449/unable-to-pull-image-from-private-gcr-from-container-optimized-compute-engine

dekkagaijin commented 6 years ago

Are you running docker pull:

If you aren't using sudo to run docker, it looks like the cred helper was configured properly.

RsknCankov commented 6 years ago

Here are my steps:

  1. Creating new VM instance in google cloud console with Container-Optimized OS 65-10323.97.0 stable image.
  2. Connect to it by ssh
  3. execute docker-credential-gcr configure-docker without sudo
  4. run docker pull- copied the pull command from the image in my private container registry (without sudo)

I then removed and created a new machine and tried to get authentication with the advanced method which is listed in official GCP docs https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#accessing_private_google_container_registry ,again when running docker pull (without sudo) - not found: does not exist or no pull access (docker pull command is copied from the image ,so as to illuminate chance of typo mistake)

I also tried running docker-credential-gcr gcr-login and then run docker pull (without sudo) ,also without any success.

@jonjohnsonjr - before opening the issue ,I found this one and tried to execute the steps ,but again without any success.

dekkagaijin commented 6 years ago

When running in a VM, docker-credential-gcr will use the credentials associated with the instance's service account (usually {project number}-compute@developer.gserviceaccount.com. This service account needs to be granted the Storage Object Viewer role on the GCS bucket where images are hosted: https://cloud.google.com/container-registry/docs/access-control Additionally, the VM needs to grant the service account at least Read Only for the Storage Cloud API access scope: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances#changeserviceaccountandscopes

dekkagaijin commented 6 years ago

Optionally, you could also configure the credential helper to use the credentials created during docker-credential-gcr gcr-login using the following command:

docker-credential-gcr config --token-source="store"
RsknCankov commented 6 years ago

Just tested that , now it is downloading the image. Thank you man ! Appreciate it.

rupurt commented 5 years ago

@dekkagaijin should the default service account need to be granted these roles? I can only get this to work on a container optimized OS by doing a docker-credential-gcr gcr-login first which isn't described in the COS documentation.