User Might Not Have Container Write Access

[jamesward]

Pretty error message. Or maybe not show projects that the user can't actually use for deploy. @grant

[ahmetb]

Filtering projects is much tougher as 1000s may be returned. Or 100s for enterprise users.

Also I don’t think it’s possible to “test” what a user/token can do (for reasons like security) so I’m not sure if this is doable.

It’s basically not possible to check “can I push to this gcr registry” without actually doing an operation like deleting a tag etc.

[jamesward]

Yeah, so maybe we just have to catch the failure and handle it with a better error message.

[jamesward]

Maybe once a project is selected we can check perms, and if they aren't sufficient we ask them to select a different project. Or if we can't check the perms, catch the failure and then re-prompt to try a different project.

Also, maybe we should file a GCR feature request for adding a way to check the perms.

[ahmetb]

"Checking perms" is the difficult thing here. Docker Registry API doesn't really have a "test write access" option, we have to push an image to know that. (And we're pushing images with docker CLI which doesn't have the most parseable output.)

Also I don't think GCR can add such a feature as it’s primarily a Docker Registry v2 API implementation and nothing else.

I see two ways out of this:

1. Separate docker build and docker push functionality. If "push" fails re-prompt for project.

2. Use something like https://github.com/google/go-containerregistry to push the image without docker CLI.

[jonjohnsonjr]

@ImJasonH added https://github.com/google/go-containerregistry/blob/31e00cede111067bae48bfc2cbfc522b0b36207f/pkg/v1/remote/check.go#L12-L49 exactly for this reason.