Search code examples
dockergoogle-cloud-platformgoogle-cloud-buildgoogle-artifact-registrygoogle-devtools-cloudbuild

Unable to pull images from Artifact Registry when deploying to Cloud Run

Introduction

I am using Cloud Build for learning how to build Docker images, storing them in Artifact Registry and then deploying the final product to Cloud Run. Please see the cloudbuild.yaml below:

steps:
  # Build the container image
  - name: 'gcr.io/cloud-builders/docker'
    args: ['build', '.', '-t', '[REGION]-docker.pkg.dev[projectId]/[repository]/[image]:latest']

  # Push to Artifact Registry
  - name: 'gcr.io/cloud-builders/docker'
    args: ['push', '[REGION]-docker.pkg.dev[projectId]/[repository]/[image]:latest']

  # List Docker images (for debugging)
  - name: 'gcr.io/cloud-builders/docker'
    args: ['images']

  # Log in to Artifact Registry
  - name: 'gcr.io/cloud-builders/docker'
    args: ['login', '[REGION]-docker.pkg.dev[projectId]/[repository]/[image]:latest']

  # Deploy to Cloud Run
  - name: 'gcloud'
    args:
      - 'run'
      - 'deploy'
      - 'REPLACE_WITH_SERVICE_NAME'
      - '--image'
      - '[REGION]-docker.pkg.dev[projectId]/[repository]/[image]:latest'
      - '--region'
      - 'REPLACE_WITH_REGION'
      - '--platform'
      - 'managed'
      - '--allow-unauthenticated'

All the steps are marked as successful in Cloud Build, but when it reaches the deployment to Cloud Run step it shows this error message:

Error response from daemon: pull access denied for gcloud, repository does not exist or may require docker login:denied:requested access to the resource is denied

I have been reading through the documentation and I made sure that the following requirements are met:

  1. I followed this Artifact Registry documentation for setting this up
  2. The repository and image exist in Artifact Registry
  3. Cloud Build service account has the necessary permissions to manage Artifact Registry resources:

    • roles/artifactregistry.reader

    • roles/artifactregistry.writer

Questions:

  • Am I missing any step in my cloudbuild.yaml?
  • Why I can push images to Artifact Registry, but not pull them for deployment?
Solution

  • The issue you are facing is attributable to incorrect build configuration (cloudbuild.yaml)

    In the build configuration you have a step with the name "gcloud". The Name of the step is not an arbitrary string, but needs to refer to the existing docker image. If the image is not prefixed with the domain it is being looked at in docker hub.

    Check this documentation on using cloud build to understand what the name parameter of the step is.

    And also check this document for sample cloud run deployment from cloud build

      steps:
  # Build the container image
  - name: 'gcr.io/cloud-builders/docker'
    args: ['build', '-t', 'gcr.io/$PROJECT_ID/SERVICE-NAME:$COMMIT_SHA', '.']
  # Push the container image to Container Registry
  - name: 'gcr.io/cloud-builders/docker'
    args: ['push', 'gcr.io/$PROJECT_ID/SERVICE-NAME:$COMMIT_SHA']
  # Deploy container image to Cloud Run
  - name: 'gcr.io/google.com/cloudsdktool/cloud-sdk'
    entrypoint: gcloud
    args:
    - 'run'
    - 'deploy'
    - 'SERVICE-NAME'
    - '--image'
    - 'gcr.io/$PROJECT_ID/SERVICE-NAME:$COMMIT_SHA'
    - '--region'
    - 'REGION'
  images:
  - 'gcr.io/$PROJECT_ID/SERVICE-NAME:$COMMIT_SHA'