I have an existing IBM Cloud Code Engine project which was working before. I submitted a new buildrun, but it fails. Based on the error message it is due to permissions with the private image registry (IBM Cloud Container Registry). The IAM API Key is valid and is working for other tasks. There are no quota issues.
ibmcloud ce buildrun submit --build mybuild
Checking the status it shows failed. Getting to the logs, these are the lines of question:
myproject-build-run-n9xm6-xxx-pod-yyy/step-build-and-push: error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "us.icr.io/henrik/myproject:latest": creating push check transport for us.icr.io failed: GET https://us.icr.io/oauth/token?scope=repository%3Ahenrik%myproject%3Apush%2Cpull&service=registry: UNAUTHORIZED: The login credentials are not valid, or your IBM Cloud account is not active.; The login credentials are not valid, or your IBM Cloud account is not active.
The error is the same regardless of whether I use the CLI or browser console.
It turns out that I had enabled enforced private endpoint access for the container registry, a security best practice. However, with that I needed the right credentials in Code Engine to access the container registry. Using the IBM Cloud Container Registry, in Code Engine I needed to
With both the credentials and the image name having matching server names, I succeeded and the error were gone.