cloud-run-button icon indicating copy to clipboard operation
cloud-run-button copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Docker push fails due to lack of permission for Container Registry

Open evil-shrike opened this issue 1 year ago • 8 comments

At the last step of pushing a built container to Container Registry the procedure fails with an unauthenticated error:

[ ! ] Attempting to build this application with its Dockerfile...
[ ! ] FYI, running the following command:
        docker build -t gcr.io/arp-test-3/arp-installer app-reporting-pack/gcp/cloud-run-button
[ ✓ ] Built container image gcr.io/arp-test-3/arp-installer
[ ! ] FYI, running the following command:
        docker push gcr.io/arp-test-3/arp-installer
[ ✖ ] Failed to push container image to Google Container Registry.
Error: failed to push image to gcr.io/arp-test-3/arp-installer: docker push failed: exit status 1, output:
Using default tag: latest
The push refers to repository [gcr.io/arp-test-3/arp-installer]
581bf958b3be: Preparing
fa810cf7b9f7: Preparing
ebf9c408cfe4: Preparing
4376bb6bef20: Preparing
c9885fc563e4: Preparing
ec4d864ac810: Preparing
5af4f8f59b76: Preparing
ec4d864ac810: Waiting
5af4f8f59b76: Waiting
unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

It can be fixed via executing gcloud auth configure-docker.

But should not it work by default? I believe so.

I think it doesn't depend on specific application but just in case here're what I built: app.json:

{
  "name": "arp-installer",
  "options": {
    "allow-unauthenticated": false,
    "port": 80
  },
  "build": {
    "skip": false
  },
  "hooks": {
    "prebuild": {
      "commands": ["./prebuild.sh"]
    },
    "postcreate": {
      "commands": ["./postcreate.sh"]
    }
  }
}

Dockerfile:

FROM python:alpine
RUN apk add --update --no-cache py3-pip
EXPOSE 80/tcp
WORKDIR /app
CMD ["python3", "-m", "http.server", "80"]

evil-shrike avatar Dec 15 '23 10:12 evil-shrike

Thanks for reporting this, @evil-shrike. You're correct, the workaround is gcloud auth configure-docker. There may be an issue where the default registries configured in the environment do not include Container Registry. The configure-docker command will fix it, but it shouldn't need to be run in the first place. I will follow up internally.

glasnt avatar Jan 01 '24 22:01 glasnt

I can reproduce this issue, can this be looked into please.

geshan avatar Mar 16 '24 03:03 geshan

I solved this with using app.json :

{
    "name": "app",
    "hooks": {
        "prebuild": {
            "commands": [
                "gcloud auth configure-docker"
            ]
        }
    }
}

Other solution is to fork cloudrun-button-repo, add a call to gcloud auth configure-docker, build the image and push it to your registry (the image should be publicly available), and then use the following link to deploy your cloud-run application

https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/xxx/xxx.git&cloudshell_image=us-east1-docker.pkg.dev/your-registry/cloudshell-custom

yasser-chihab avatar May 06 '24 07:05 yasser-chihab

@glasnt Is there an update? The problem is still there.

rcknr avatar Jul 29 '24 09:07 rcknr

I have the same problem, any updates?

oskarissimus avatar Aug 27 '24 21:08 oskarissimus

@steren Can you maybe help tackling this problem?

rcknr avatar Aug 28 '24 05:08 rcknr

@glasnt and @justinmahood are the person who can help.

If I understand, to solve the issue, we need gcloud auth configure-docker to run before trying to push? Do we also need to migrate to Artifact Registry?

steren avatar Aug 28 '24 05:08 steren

The command works to temporarily get around the problem. To fully solve it a support for Artifact registry has to be added since Container registry is going to be shut down soon.

rcknr avatar Aug 28 '24 06:08 rcknr