I am trying to download an image I pushed to Artifact Registry. Note that I am able to push the image. But when I try to download it using:
docker pull Google Cloud console
I get this error:
Error response from daemon: Head “https://gcr.io/v2/xxx/zzz/manifests/1.0”: denied: Permission “artifactregistry.repositories.downloadArtifacts” denied on resource “projects/xxx/locations/us/repositories/gcr.io” (or it may not exist)
I have verified the resource does exist using the web console. I have also run
gcloud auth configure-docker us-docker.pkg.dev
WARNING: Your config file at [/Users/me/.docker/config.json] contains these credential helper entries:
{
“credHelpers”: {
“us-central1-docker.pkg.dev”: “gcloud”,
“us-docker.pkg.dev”: “gcloud”
}
}
Adding credentials for: us-docker.pkg.dev
gcloud credential helpers already registered correctly.
Why is it giving the error? How can I fix it?
In general, the problem seems to be with the service account permissions vs. the virtual machine instance.
If you want to test it, you can recreate the virtual machine instance after the service account added the necessary access.
Also, reviewing the error message you are getting is recommended to transform Dockerfile to cloudbuild.yaml, by replacing all RUN commands to corresponding build steps, using cloud builders.
From Dockerfile
FROM gcr.io/cloud-builders/gcloud
RUN gcloud auth list
RUN gsutil ls gs://[BUCKET-ID]/
To cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/gcloud'
args: ['auth', 'list']
- name: 'grc.io/cloud-builders/gsutil'
args: ['ls', 'gs://[BUCKET-ID]/']
The full list of cloud builders.
I don’t think this answers my question as there is no VM involved
The fix for this is to run
$ gcloud auth configure-docker gcr.io
Looks like the official documentation is incorrect. It says to run:
2 Likes
I had this same issue. What I did was to give the cloudbuild account of the current project roles/artifactregistry.reader role on the other project. And it worked
1 Like
