Unable to access private container registry from gcloud compute VM
I'm trying to pull a container from a private gcloud registry from a gcloud VM using service account for authentication. The VM and registry are in the same project. No matter what I do I always get Error response from daemon: unauthorized.
XXX@sandbox:~$ gcloud auth configure-docker gcr.io
WARNING: Your config file at [/home/XXX/.docker/config.json] contains these credential helper entries:
{
"credHelpers": {
"gcr.io": "gcloud"
}
}
Adding credentials for: gcr.io
gcloud credential helpers already registered correctly.
XXX@sandbox:~$ sudo docker pull gcr.io/MY-PROJECT-ID/MY-IMAGE:latest
Error response from daemon: unauthorized: You don't have the needed permissions to perform
this operation, and you may have invalid credentials. To authenticate your request, follow
the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
The service account has Storage Admin role for the gcr.io storage bucket:
The VM has storage access enabled as Read-Write:
The VM was stopped, restarted multiple times. Docker is up to date:
XXX@sandbox:~$ which docker
/usr/bin/docker
XXX@sandbox:~$ sudo docker version
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:26:02 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:24:36 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
I can get it to work using JSON keyfile but not with the recommended gcloud auth configure-docker. I guess there is some yet another undocumented switch or permission that I need to flip but I just can't see.
You can pass the account or the impersonate-service-account to the command:
gcloud auth configure-docker --account
gcloud auth configure-docker ----impersonate-service-account
When you run with sudo you change the environment and it will not authenticate to the gcr.io, thus the unauthorized.
- gobject/gnome/glib bindings for D using GIR?
- How do nested functions get compiled?
- The "this" pointer and message receiving in D
- 64-bit executables with DMD
- GtkD with D lang on Fedora
- Why Android used Java concept instead of D language or C or C++? But Chromium web browser is in C++, its very complicated match
- How to use MongoItemWriter to write a List<T>
- Why a function with protected modifier can be overridden and accessible every where?
- Convert Unicode const(uint)* to a dlang character type
- Compiling D with Code::Blocks
- DMD vs. GDC vs. LDC
- Rendering a font in raylib using freetype
- Digital Mars D compiler; acquiring ASM output
- D Programming: openssl rsa forward reference compiler error
- D compiler DMD doesn't link object files
- OPTLINK: Warning 23: No Stack
- Is there a limit in the amount of temporary generated symbols during a project build using dmd 2.063?
- Is this the right way to combine Garbage collected with none Garbage collected code in D
- D compiler (Digital Mars D Compiler) throwing error
- Which D Compiler to Use?
- Splitting a string treating multiple whitespace as one separator
- Proper way of passing array parameters to D functions
- Detailed Valgrind internals documentation
- Is it possible, in D, to tell the garbage collector to not scan a particular pointer (or anything below it)?
- Iterate over key/value pairs in associative array in D.
- Dlang associative array of an array of strings keyed by a string has unexpected behavior
- How to repeat a statement N times (simple loop)
- Is worth the effort to learn D?
- ld: undefined reference to object I can see in objdump
- D using emplace