Docker push to GAR does not work with service account impersonation

Google Cloud Compute Infrastructure
1

Hi,

I have correctly configured the service account and its role for the GAR docker repository.

$ gcloud artifacts repositories get-iam-policy my-repo --location=asia
bindings:

  • members:
  • domain:my-domain.com
    role: roles/artifactregistry.reader
  • members:
  • serviceAccount:@.iam.gserviceaccount.com
    role: roles/artifactregistry.writer
    etag: BwYsVjoWHV4=
    version: 1

$ gcloud auth configure-docker asia-docker.pkg.dev

$ gcloud auth print-access-token --impersonate-service-account @.iam.gserviceaccount.com | docker login -u oauth2accesstoken --password-stdin https://asia-docker.pkg.dev
WARNING: This command is using service account impersonation. All API calls will be executed as [@.iam.gserviceaccount.com].
Login Succeeded

I have above impersonation successful. However was never able to push image to my repository. I always get permission denied.

$ docker push asia-docker.pkg.dev/my-project/my-repo/myapp:7.6.1-20250131
The push refers to repository [asia-docker.pkg.dev/my-project/my-repo/myapp]
db45a29311e3: Preparing
a5cb861e1b73: Preparing
8fa10c0194df: Waiting
f920c5680b0b: Waiting
denied: Permission “artifactregistry.repositories.uploadArtifacts” denied on resource “projects/my-project/locations/asia/repositories/my-repo” (or it may not exist)

I had to add roles/artifactregistry.writer to my main user account so that I can push it.

My question is does not docker command work with --impersonate-service-account?

Or am I missing something?

Regards,

Mohan

2

Hi @pmohan ,

Welcome to Google Cloud Community!

The Docker is not using the service account’s credentials when you execute the docker push command. The docker login using --impersonate-service-account only sets the initial authentication. You need to configure Docker to always use the service account credentials by re-configuring the gcloud CLI credential helper.

Ensure the docker-credential-gcloud Helper is Properly Configured for the Service Account.

Example gcloud auth configure-docker specifying the service account by running cli command:

gcloud auth configure-docker asia-docker.pkg.dev --account=<sa-name>@<prj-name>.iam.gserviceaccount.com

It tells the docker-credential-gcloud helper that when authenticating against repositories under asia-docker.pkg.dev, it should use the provided service account.

Verify your ~/.docker/config.json file. It should contain a credHelpers section like this for example (or similar):

{
    "credsStore": "desktop",
    "credHelpers": {
        "asia-docker.pkg.dev": "gcloud"
    }
}

For your reference, you may refer to these documentations

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.