2

I created a new VM instance on my GCE compute engine (I have Owner permissions). On that instance, I installed git, docker, and gcloud - everything is done under sudo su.

I was hoping I can use that VM instance to deploy images to GCR, but whatever I do - I cannot seem to have sufficient permissions to push the images from that instance.

  1. I granted "Storage Admin" along with the "Editor" permissions to the VM Instance (autogenerated) IAM service-account.
  2. When I run docker login eu.gcr.io I receive Login Succeeded with no problems.
  3. I copied both a p12 key and a .json key to the .ssh folder (I generated them on the IAM console) - but that had no use too.

  4. To tag and push the docker image, I use this::

    docker tag [SOURCE_IMAGE] [HOSTNAME]/[PROJECT-ID]/[IMAGE]

and

docker push [HOSTNAME]/[PROJECT-ID]/[IMAGE]

Notice: It seems that at this stage (2018) gcloud docker -- push is obsolete (and it didn't work for me as well...)

Notice: The bucket is NOT created yet, so setting permissions on the Storage console is out of the question at this point.

What could be the reason for the Permission Denied problem ?

Pierre.Vriens
  • 7,225
  • 14
  • 39
  • 84
orberkov
  • 195
  • 7

2 Answers2

1

From the Before you begin section of the instructions you referenced:

Make sure that you:

  1. Have access to the registries which you will be pushing to and pulling from

This is specified in more details in Using Container Registry with Google Cloud Platform:

To push private Docker images from a Compute Engine instance, your instance must have read-write or full-control permission to the image's bucket.

So the GCS bucket corresponding to gcr.io (or whichever GCR domain you want to use) and the desired cloud project must already be created and your GCE instance's service account must have the necessary role/permissions for push operations.

It's true, the instructions you referenced mention in Push the tagged image to Container Registry:

When you push an image to a registry with a new hostname, Container Registry creates a storage bucket in the specified multi-regional location.

So I believe you'd have to:

  • first create create the bucket by executing a push to the desired GCR domain and project, but:
    • from your own computer (or some machine which is not a GCE instance, but YMMV)
    • using the credentials of an acceptable identity, not the GCE instance service account's ones. I'd try with a real user credentials, I'm not sure if a service account's ones would cut it.
  • after the bucket is created add to its access control the GCE instance service account's role/permissions for push operations
  • then perform pushes from the GCE instance
Dan Cornilescu
  • 6,780
  • 2
  • 21
  • 45
1

I faced this same problem when I was trying to automate GCP kubernetes deployment using Jenkins by putting image in GCR and I created one service account giving admin permission in gcp IAM.

I launched one VM giving same IAM service account access.

I installed gcloud sdk using here follows below command.

$gcloud init

$gcloud auth configure-docker

$cd my_api && docker build --no-cache -t my_api .

$docker tag my_api asia.gcr.io/firebase-mytalk/my_api:latest

$gcloud docker -- push asia.gcr.io/firebase-mytalk/my_api:latest

ShreePool
  • 111
  • 3