docker-credential-gcr icon indicating copy to clipboard operation
docker-credential-gcr copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Unable to push images in GCR - “Caller does not have permission 'storage.buckets.create'.”

Open sunnygoel8 opened this issue 5 years ago • 2 comments

I'm using Standalone Docker credential helper authentication option to push docker images in GCR from local machine. Ran following command locally which created config.json file at following path - C:\Users\sunny.goel.docker

docker-credential-gcr configure-docker

Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?

echo "https://us.gcr.io" | docker-credential-gcr get

Moreover, where can we find the caller information to assign the required roles (storage admin) ? I do see a number of service accounts but am not sure which one is used to create storage buckets ?

sunnygoel8 avatar Dec 28 '18 07:12 sunnygoel8

Assuming you're using gcloud and not a JSON key or environment-based auth, gcloud auth list should show you the current active account.

The auth attribute value in the config file is probably leftover from doing a docker login with some credentials. You shouldn't need an auths entry for the credential helper to work, e.g. my config looks like this:

{
	"auths": {},
	"credHelpers": {
		"asia.gcr.io": "gcr",
		"eu.gcr.io": "gcr",
		"gcr.io": "gcr",
		"us.gcr.io": "gcr"
	}
}

It may be that you just need to clear that secret in the auths entry.

jonjohnsonjr avatar Jan 02 '19 17:01 jonjohnsonjr

I hit the similar issue while i was trying to upload the docker image to GCR from container optimized OS, i ran the following sequence of command,

  1. Created a service account and assigned Storage Admin privileges.
  2. Downloaded the JSON key
  3. Executed docker-credential-gcr configure-docker
  4. Logged in with docker command - docker login -u _json_key -p "$(cat ./mygcrserviceaccount.JSON)" https://gcr.io
  5. Tried pushing the image gcr - docker push gcr.io/project-id/imagename:tage01

It failed with following error,

denied: Token exchange failed for project 'project-id'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

I tried giving every possible permission to my service account through IAM role but it would fail with same error.

After reading this issue i did the following changes,

  1. Removed the docker config directory rm -rf ~/.docker
  2. Executed docker-credential-gcr configure-docker
  3. Stored the JSON key into variable named GOOGLE_APPLICATION_CREDENTIALS GOOGLE_APPLICATION_CREDENTIALS=/path/to/mygcrserviceaccount.JSON
  4. Logged in with docker command - docker login -u _json_key -p "$(cat ${GOOGLE_APPLICATION_CREDENTIALS})" https://gcr.io
  5. Executed docker push command - docker push gcr.io/project-id/imagename:tage01

Voila, it worked like a charm!

opensourcejunkie101 avatar Jun 03 '20 22:06 opensourcejunkie101