search

google / go-containerregistry

Go library and CLIs for working with container registries
Apache License 2.0
3.08k stars 531 forks source link

gcrane: unable to transfer images from google container registry to google artifact registry #1910

Closed biswalc closed 1 day ago

biswalc commented 5 months ago

Describe the bug

Following the guide from https://cloud.google.com/artifact-registry/docs/docker/copy-from-gcr

I attempted to transfer the images from GCR to GAR using gcrane and it failed.

Permissions: The service account(biswal-actions-sa) used to do the operation has both the below permissions:

Also the Google managed service account('serviceAccount:service-123456789@gcp-sa-artifactregistry.iam.gserviceaccount.com') has the permissions

gcloud auth list shows the desirable active SA:

% gcloud auth list
                               Credentialed Accounts
ACTIVE  ACCOUNT
*              biswal-actions-sa@my-project.iam.gserviceaccount.com

Copy command executed:

gcrane cp -r us.gcr.io/my-project/my-analysis us-docker.pkg.dev/my-project/my-analysis/my-analysis

This generates the error:

52:29 retrying without mount: Post "https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxx&origin=us.gcr.io": context canceled

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

Error: failed to copy "sha256:xxxxxxxxx

When I do the following steps they work out fine:

docker pull us.gcr.io/my-project/my-analysis:latest

docker tag us.gcr.io/my-project/my-analysis:latest us-docker.pkg.dev/my-project/my-analysis/my-analysis:latest

docker push us-docker.pkg.dev/my-project/my-analysis/my-analysis:latest

Google Support mentioned trying the execution in Gcloud Shell, and I faced the same issue there.

To Reproduce

gcrane cp -r us.gcr.io/my-project/my-analysis us-docker.pkg.dev/my-project/my-analysis/my-analysis

Expected behavior

gcrane should process the source, and the Artifact Registry should be able to import the image layers without having to download them to the bastion machine where gcrane is running.

Additional context

Add any other context about the problem here.

jonjohnsonjr commented 4 months ago

gcrane should pick up default credentials from wherever you're running it...

Is that service account your ADC wherever you're invoking gcrane? I.e. you have impersonated via:

gcloud auth application-default login --impersonate-service-account $ACCOUNT

Also would be curious to see if both of these fail or only one:

gcrane ls us.gcr.io/my-project/my-analysis
gcrane ls us-docker.pkg.dev/my-project/my-analysis/my-analysis
github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.