Search code examples
gcloudkaniko

Invalid permissions after setting gcloud caching use_kaniko?

I encountered a strange permissions error while building Docker images on the cloud. I switched to another machine, installed Gcloud, did gcloud init and everything worked again.

However, I noticed while building images, it took much longer because I didn't enable kaniko cache (which I figured out from this post: gcloud rebuilds complete container but Dockerfile is the same, only the script has changed)

After enabling this feature, I tried to rebuild my last image and bam, the same error message:

Status: Downloaded newer image for gcr.io/kaniko-project/executor:latest

gcr.io/kaniko-project/executor:latest 

error checking push permissions -- 
make sure you entered the correct tag name, and that you are authenticated correctly, and try again: 

checking push permission for "eu.gcr.io/pipeline/tree-par": creating push check transport for eu.gcr.io failed: 
GET https://eu.gcr.io/v2/token?scope=repository%3pipeline%2Ftree-par%3Apush%2Cpull&service=eu.gcr.io:

UNAUTHORIZED: You don't have the needed permissions to perform this operation, and you may have invalid credentials.
To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication 

ERROR

ERROR: build step 0 "gcr.io/kaniko-project/executor:latest" failed: step exited with non-zero status: 1
-------------------------------------------------------------------------------------------------------------------------------

ERROR: (gcloud.builds.submit) build bad4a9a4-054d-4ad7-991d-e5aeae039b7c completed with status "FAILURE"

Anyone any idea why this failed upon enabling the Kaniko cache? I hate to not use it because when it still worked, it really decreased the time it took to create docker images.

Solution

  • It seems that the issue comes from Kaniko's end.

    Three days ago, on version v0.21.0, they added this fix:

    Fix: GCR credential helper check does not respect DOCKER_CONFIG environment variable

    Even after this release, 1 day later, this issue was reported where users saw a very similar Error message:

    "[...] You don't have the needed permissions to perform this operation, and you may have invalid credentials[...] "

    This was already fixed yesterday with the release of the v0.22.0 version. The suggested workaround is to execute the following command:

    gcr.io/kaniko-project/executor:v0.22.0

    I would suggest use that command instead of executor:latest to "force" the use of the v0.22.0 version.

    I hope this is helpful! :)