Google Container Registry: Permission issue while trying to pull/push images with authenticated credentials

huangapple go评论72阅读模式
英文:

Google Container Registry: Permission issue while trying to pull/push images with authenticated credentials

问题

在Ubuntu-22中,google-cloud已通过snap商店安装:

> whereis gcloud
gcloud:/snap/bin/gcloud
> snap list | grep google
google-cloud-sdk           432.0.0                     346    latest/stable    google-cloud-sdk**  classic

Docker也通过snap安装了:

> snap list | grep docker
docker                     20.10.24                    2893   latest/stable    canonical**

我已经通过以下方式对我的帐户进行了私有GCR的身份验证:

> gcloud auth login
您的浏览器已打开以访问:

    https://accounts.google.com/o/oauth2/auth?...<long_url>

您现在已登录为 [<my_email@address.com>]您当前的项目是 [<desired_project_name>]。您可以通过运行以下命令更改此设置:
  $ gcloud config set project PROJECT_ID

请再次检查登录过程:

> gcloud auth list
           Credentialed Accounts
ACTIVE             ACCOUNT
*                  <my_email@address.com>

要设置活动帐户,请运行:
    $ gcloud config set account `ACCOUNT`

但是,当我尝试拉取或推送任何映像时,我遇到了以下权限问题:

unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

我能够在浏览器中访问我尝试从私有GCR中拉取的映像,这让我认为这是与在终端中执行docker pull时的凭据相关的问题。

我在这里错过了什么?

PS:这个问题中的解决方案对我不起作用 https://stackoverflow.com/questions/59599316/unable-to-push-to-google-container-registry-permission-issue

编辑:

如评论中所要求,在auth login之前,我还执行了一步,即gcloud auth configure-docker,如下所示:

> gcloud auth configure-docker
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running 'docker build'. We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file located at 
[/home/<user>/.docker/config.json]:
 {
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    ...
  }
}

Do you want to continue (Y/n)?  

Docker configuration file updated.
英文:

In Ubuntu-22, google-cloud has been installed through snap store;

> whereis gcloud
gcloud: /snap/bin/gcloud
> snap list | grep google
google-cloud-sdk           432.0.0                     346    latest/stable    google-cloud-sdk**  classic

Docker has been installed via snap too;

> snap list | grep docker
docker                     20.10.24                    2893   latest/stable    canonical**

And I have authenticated my account to a private GCR as below;

> gcloud auth login
Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?...<long_url>


You are now logged in as [&lt;my_email@address.com&gt;].
Your current project is [&lt;desired_project_name&gt;].  You can change this setting by running:
  $ gcloud config set project PROJECT_ID

Double-checked the login process;

&gt; gcloud auth list
           Credentialed Accounts
ACTIVE             ACCOUNT
*                  &lt;my_email@address.com&gt;

To set the active account, run:
    $ gcloud config set account `ACCOUNT`

But, when I try to pull or push any image, I hit the following permission issue;

unauthorized: You don&#39;t have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I am able to access to the image which I try to pull from the private GCR in my browser, this makes me think that it is an issue related to creds while performing docker pull in my terminal.

What am I missing here?

PS: The solution in this question did not work for me https://stackoverflow.com/questions/59599316/unable-to-push-to-google-container-registry-permission-issue


EDIT:

As it is asked in the comments, I need to mention that I have performed one more step before auth login which is gcloud auth configure-docker as below;

&gt; gcloud auth configure-docker
Adding credentials for all GCR repositories.
WARNING: A long list of credential helpers may cause delays running &#39;docker build&#39;. We recommend passing the registry name to configure only the registry you are using.
After update, the following will be written to your Docker config file located at 
[/home/&lt;user&gt;/.docker/config.json]:
 {
  &quot;credHelpers&quot;: {
    &quot;gcr.io&quot;: &quot;gcloud&quot;,
    &quot;us.gcr.io&quot;: &quot;gcloud&quot;,
    ...
  }
}

Do you want to continue (Y/n)?  

Docker configuration file updated.

答案1

得分: 1

发布此内容作为社区wiki,以供所有人查看。

解决docker的权限问题是通过使用APT软件包管理器重新安装docker来解决的。正如John Hanley所说,该问题似乎是通过snap安装Docker时出现的错误。建议使用APT来安装Docker,Docker自己也建议这样做

还值得注意的是,您应该始终删除/卸载先前的安装。根据这篇帖子,也建议始终使用snap或apt,因为它们不能共存。

英文:

Posting this as a community wiki for everyone's visibility.

The permission issue with the docker was resolve by re-installing the docker with APT package manager. As said by John Hanley, the issue appears to be a bug with how the Docker was installed via snap. Using APT to install Docker is recommended by Docker themselves.

Its also important to note that you should always remove/uninstall previous installations. According to this post, its also recommended to use either snap or apt all the way, as they can't co-exist.

答案2

得分: 1

卸载 snap 安装并使用包管理器 apt 安装 docker 已经解决了我的问题。

我观察到两种安装方式之间的差异如下:

  • 使用 snap,一旦执行 gcloud auth login 并将我重定向到浏览器,身份验证只需选择 Google 帐号(请查看我问题中的第3个代码块,不会要求输入 authorization code)。
  • 使用 apt,在选择所需的 Google 帐号后,我会被重定向到另一页,需要提供 authorization code,然后在终端中输入;
> gcloud auth login
Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?...<长网址>

Enter authorization code: <从浏览器复制的代码>  // 这就是区别!!

You are now logged in as [<我的邮箱地址>].
Your current project is [<期望的项目名称>].  You can change this setting by running:
  $ gcloud config set project PROJECT_ID

感谢 @JohnHanley 指出 docker 推荐使用 apt 安装。

英文:

Removing snap installation and installing docker with package manager apt has fixed my issue.

The difference I have observed between two installations;

  • With snap, once gcloud auth login directs me to browser, authentication was completed by choosing google account only (Please see the 3rd code block in my question, no authorization code was asked).
  • With apt, after choosing the desired google account, I was directed to another page where the authorization code was provided which needed to be entered in the terminal;
&gt; gcloud auth login
Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?...<long_url>

Enter authorization code: &lt;Code_from_browser&gt;  // This is the difference!!

You are now logged in as [&lt;my_email@address.com&gt;].
Your current project is [&lt;desired_project_name&gt;].  You can change this setting by running:
  $ gcloud config set project PROJECT_ID

Thank you @JohnHanley pointed out that docker recommends apt installation.

huangapple
  • 本文由 发表于 2023年6月1日 21:48:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/76382591.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定