search

GoogleCloudPlatform / docker-credential-gcr

A Docker credential helper for GCR users
https://gcr.io
Apache License 2.0
292 stars 92 forks source link

Unable to push images in GCR - “Caller does not have permission 'storage.buckets.create'.” #55

Open sunnygoel8 opened 5 years ago

sunnygoel8 commented 5 years ago

I'm using Standalone Docker credential helper authentication option to push docker images in GCR from local machine. Ran following command locally which created config.json file at following path - C:\Users\sunny.goel.docker

docker-credential-gcr configure-docker

Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?

echo "https://us.gcr.io" | docker-credential-gcr get

Moreover, where can we find the caller information to assign the required roles (storage admin) ? I do see a number of service accounts but am not sure which one is used to create storage buckets ?

jonjohnsonjr commented 5 years ago

Assuming you're using gcloud and not a JSON key or environment-based auth, gcloud auth list should show you the current active account.

The auth attribute value in the config file is probably leftover from doing a docker login with some credentials. You shouldn't need an auths entry for the credential helper to work, e.g. my config looks like this:

{
    "auths": {},
    "credHelpers": {
        "asia.gcr.io": "gcr",
        "eu.gcr.io": "gcr",
        "gcr.io": "gcr",
        "us.gcr.io": "gcr"
    }
}

It may be that you just need to clear that secret in the auths entry.

opensourcejunkie101 commented 4 years ago

I hit the similar issue while i was trying to upload the docker image to GCR from container optimized OS, i ran the following sequence of command,

  1. Created a service account and assigned Storage Admin privileges.
  2. Downloaded the JSON key
  3. Executed docker-credential-gcr configure-docker
  4. Logged in with docker command - docker login -u _json_key -p "$(cat ./mygcrserviceaccount.JSON)" https://gcr.io
  5. Tried pushing the image gcr - docker push gcr.io/project-id/imagename:tage01

It failed with following error, 

denied: Token exchange failed for project 'project-id'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I tried giving every possible permission to my service account through IAM role but it would fail with same error.

After reading this issue i did the following changes,

  1. Removed the docker config directory rm -rf ~/.docker
  2. Executed docker-credential-gcr configure-docker
  3. Stored the JSON key into variable named GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS=/path/to/mygcrserviceaccount.JSON
  4. Logged in with docker command - docker login -u _json_key -p "$(cat ${GOOGLE_APPLICATION_CREDENTIALS})" https://gcr.io
  5. Executed docker push command - docker push gcr.io/project-id/imagename:tage01

Voila, it worked like a charm!