VM Instances cannot pull images from Artifact Registry

We have docker swarm setup on a fleet of VM Instances in Europe-west1 region. Containers running in these instances pull docker images from Artifact Registry eu.gcr.io. which is in the same project. Currently I see the image pull request fails with the below error

Aug 13 11:13:04 ig-prod-4-t25s dockerd[828]: time=“2025-08-13T11:13:04.789971567Z” level=info msg=“Attempting next endpoint for pull after error: Get eu.gcr.io/v2/xyz/nginx:3f7c2869: unauthorized: authentication failed”

and I think they use cloud cli credential helper to establish authentication with artifact registry. When I redeploy the service it works. Also when I login and manually pull the image it works as well. Does this mean it has issues with token expiration. We used container registry before migrating to artifact registry and never had any issues. Is artifact registry enforcing the token to be rotated?

Hi @srinathjamboju9,

Artifact Registry enforces token rotation by using short-lived OAuth access tokens for authentication. These tokens are valid for a default period of 60 minutes. When you authenticate with docker-credential-gcr or gcloud auth configure-docker, Docker isn’t storing a permanent password it’s storing a temporary OAuth2 access token in “~/.docker/config.json”. Once that expires, Artifact Registry will reject pulls until the token is refreshed.

Do you have any google links where that is mentioned? I never had this problem with GCR though. Thanks for the response.