This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Artifact Registry issue

Posted on 09-21-2023 04:53 PM
maheshdo
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have been using container registry from a very long time but now it will deprecate from next year, I am going to use google artifactory registry. So here are my some queries:

1. I have created new repository in artifact registry and format is docker but when I push my image using Jenkins, it is created with name for repo as us.gcr.io. The complete path is

us-docker.pkg.dev/ProjectID/us.gcr.io/image:version

And that us.gcr.io is not a hostname as in ContainerRegistry but now is a folder inside the Project ID and the docker image inside the folder whichi s described as docker, unlike container registry has us.gcr.io as hostname. 

2. After I pushed a image to artifactory registry, via Jenkins deployment but there is an error with : DENIED: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/PROJECTNAME/locations/LOCATION/repositories/REPONAME" (or it may not exist)

ERROR: Build step failed with exception com.github.dockerjava.api.exception.DockerClientException: Could not push image: denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource

I have already given permission to Jenkins Service account the role for Artifact Registry Writer.

Do I need to add any other role for Artifact Registry  etc( Administrator or roles/artifactregistry.serviceAgent ) etc

Please help me with any solution.

0 3 1,863
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
Marramirez
Staff
Reply posted on --/--/---- --:-- AM

Hello @maheshdo,

Welcome to the Google Cloud Community!

To answer your queries:

  1. In the Container Registry, all repositories in the registry share the same storage bucket which is the us.gcr.io hostname. That is because you can only create a single registry host in a multi region.
    Artifact Registry, on the other hand, has multiple and separate repositories in a single location. Each repository is a separate resource. Here you can add labels and IAM policies to each repository. Check out this blog.
  2. Check if you have configured your authentication properly .To setup docker authentication in the rgion us-central1 you can run the following command: 
    gcloud auth configure-docker us-central1-docker.pkg.dev
    Also, take a look at this Stack Overflow post as you might have the same problem. 

Let me know if it helped, thanks!

0 Likes

Posted on --/--/---- --:-- AM
maheshdo
Bronze 1
Bronze 1
In response to Marramirez
Reply posted on --/--/---- --:-- AM

Thank you for the details. Yes I have completed the authentication successfully. Even I'm able to pull the image from AR.

When I try to push image from Jenkins , in Jenkins I have added all the correct path and the registry path. 

I have added a service account ( Dev-Jenkins ) and have the Role assigned Artifact-Registry-Administrator. The role I see has reference permissions as artifactregistry.repositories.uploadArtifacts.

Does Artifact Registry Create on Push role also required with the Artifact-Writer-Role? 

0 Likes

Posted on --/--/---- --:-- AM
nob786
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, I had the same issue with drone, this thread helped me out.

https://www.googlecloudcommunity.com/gc/Developer-Tools/Permission-quot-artifactregistry-repositorie...

0 Likes
Top Solution Authors
View all