Closed jaronoff97 closed 11 months ago
#14 exporting to image
#14 pushing layers 0.3s done
#14 ERROR: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed
------
> exporting to image:
------
ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed
Looks like ${{ secrets.DOCKER_USERNAME }}
user and/or ${{ secrets.DOCKER_PASSWORD }}
token does not have enough perms to push to otel/autoinstrumentation-java
. Does it work locally?
@crazy-max we've confirmed that the user has the read/write scope for the community organization and that the action is indeed using that username/password combination. These are confidential and unfortunately i do not have access to the credentials to run it locally. I was able to make a fork for my non-community organization on docker hub and it worked successfully
Fwiw, the login action succeeds
Fwiw, the login action succeeds
Yes auth succeeds but this user does not have enough perms to push to https://hub.docker.com/r/otel/autoinstrumentation-java.
These are confidential and unfortunately i do not have access to the credentials to run it locally.
Is someone else with the credentials able to repro locally?
non-community organization on docker hub and it worked successfully
Can you check if ${{ secrets.DOCKER_USERNAME }}
is a member of the otel
organization and also its affected team has read/write access to https://hub.docker.com/r/otel/autoinstrumentation-java?
- Add a community user
That does not seem enough. I think you need first to affect this user to a team in the org and set the perms to push to the repo.
@crazy-max waiting on hearing back from a teammate about your questions, thank you for the response. Just a brief Q: any chance this could be related to #160?
Can you check if
${{ secrets.DOCKER_USERNAME }}
is a member of theotel
organization and also its affected team has read/write access to https://hub.docker.com/r/otel/autoinstrumentation-java?
The user is otelbot
and it is a member of otel
organization. The access token we use has Read & Write permissions to otel
org.
The user is otelbot
and it is a member of bots
which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?
The user is
otelbot
and it is a member ofbots
which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?
It appears giving the team the Read & Write permission solve the problem.
However, this looks wrong to me. If I give the user the permission directly to the entire org (via their access token permissions), shouldn't that have a precedence over what permission they have indirectly via the team they belong to?
I believe this is how it worked in the past, so something may have changed recently in how the permissions are calculated.
The user is
otelbot
and it is a member ofbots
which does NOT have a Read & Write permission to the repo? Should it? Doesn't the org-wide permission override the repo permission?It appears giving the team the Read & Write permission solve the problem.
However, this looks wrong to me. If I give the user the permission directly to the entire org (via their access token permissions), shouldn't that have a precedence over what permission they have indirectly via the team they belong to?
I believe this is how it worked in the past, so something may have changed recently in how the permissions are calculated.
Thanks for your feedback can you open an issue on https://github.com/docker/hub-feedback/issues about it please?
Troubleshooting
Behaviour
Steps to reproduce this issue
Expected behaviour
Image should be pushed successfully to both repositories
Actual behaviour
ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed Error: buildx failed with: ERROR: failed to solve: failed to push otel/autoinstrumentation-java:1.25.1: server message: insufficient_scope: authorization failed
Configuration
Logs
logs.txt