Re: Permission "artifactregistry.repositories.uplo...

svoid · 04-07-2023 03:11 PM

I am trying to setup a repository in Artifact Registry and push an image to it from my local workstation (or cloud shell). I have done:

gcloud init
gcloud auth configure-docker us-west3-docker.pkg.dev
docker tag my-image us-west3-docker.pkg.dev/my-project/my-repo/my-image:latest
docker push us-west3-docker.pkg.dev/my-project/my-repo/my-image:latest

docker push responds with the following error:

denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us-west3/repositories/my-repo" (or it may not exist)

When I run `gcloud projects get-ancestors-iam-policy my-project`, I see that my user principal has both the roles/artifactregistry.repoAdmin and roles/artifactregistry.writer bound. Just to be safe, I ran `gcloud artifacts repositories add-iam-policy-binding my-repo --location=us-west3 --member=user:my-email@gmail.com --role=roles/artifactregistry.writer` to ensure that I had the permission bound directly to the repository. But I still get this error every time.

I have also tried the IAM policy troubleshooter and it shows that I should also have access to this resource. At this point, I have run out of ideas to check. Any thoughts?

svoid

I finally got something to work, but it was not what I expected. I was able to use:

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-west3-docker.pkg.dev

followed by the docker push

This might mean that the problem wasn't with my account permissions but rather the docker <=> gcloud authentication integration.

skraju

could you please tell me how to push docker image to google artifact registry from terminal on GCP

ecasseano

saved my day, thank you !

zigshanklin

Thanks so much for posting this solution. It worked for me. I was getting nowhere trying to fix this issue by addressing permissions in the GCP console. ...zig

FranciscoAR

Thank you so much! I was blocked by this for a number of very frustrating hours and your solution saved me. Thanks!

drdoctor

I had the same problem, and it turned out it was because docker, when run with sudo, looks for credentials in /root/.docker instead of ~/.docker. I fixed the issue by running sudo usermod -aG docker $USER, logging out of my computer & back in, and then running docker push without sudo.

See this note from https://cloud.google.com/artifact-registry/docs/docker/authentication: "Note: If you normally run Docker commands on Linux with sudo, Docker looks for Artifact Registry credentials in /root/.docker/config.json instead of $HOME/.docker/config.json. If you want to use sudo with docker commands instead of using the Docker security group, configure credentials with sudo gcloud auth configure-docker instead."

zhougongjin555

The same problem occurred on the windows platform I used. After two days of troubleshooting, I found that I installed the windows version of gcloud and pushed the image in wsl. This problem occurred. Currently, I uninstalled the windows sdk and installed it. With the linux version of gcloud, all problems are solved. I hope it can help anyone.

bayan2019

I granted some permissions to ****@cloudbuild.gserviceaccount.com, i.e to cloud build service account that was provided by Google itself. Then it finally worked for me

Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/xxx/..."