我已经gcloud auth login,gcloud auth configure-docker,gcloud components install docker-credential-gcr,gcloud config set project gcp-project-id-example。
我之前已经推送到此存储库,所以我有点惊讶它现在还没有工作?我已使用gcloud auth login进行了身份验证,我的用户拥有完整的编辑权限。
sudo gcloud docker -- push eu.gcr.io/gcp-project-id-example/pipelinebuild:latest
WARNING: `gcloud docker` will not be supported for Docker client versions above 18.03.
As an alternative, use `gcloud auth configure-docker` to configure `docker` to
use `gcloud` as a credential helper, then use `docker` as you would for non-GCR
registries, e.g. `docker pull gcr.io/project-id/my-image`. Add
`--verbosity=error` to silence this warning: `gcloud docker
--verbosity=error -- pull gcr.io/project-id/my-image`.
See: https://cloud.google.com/container-registry/docs/support/deprecation-notices#gcloud-docker
The push refers to repository [eu.gcr.io/gcp-project-id-example/pipelinebuild]
09a1efc2708d: Preparing
484c62332bc0: Preparing
737446294222: Preparing
5330921097a0: Preparing
898d09fcad4e: Preparing
8ebe2c7c93e3: Waiting
2d360789868b: Waiting
43c7850e5ceb: Waiting
212ad79ba733: Waiting
b12c0a65bf50: Waiting
2ec89235b54b: Waiting
770a49082d40: Waiting
2a4ee56ebd9d: Waiting
f38582ca1d15: Waiting
3cc68fcb53a4: Waiting
577d10d964a3: Waiting
96e5efb05969: Waiting
aae94198c5bb: Waiting
9e5b0f110abc: Waiting
bddf843523ce: Waiting
6ab9447934c9: Waiting
9cc1209e0dce: Waiting
072f13fb321e: Waiting
0926f7bf84b3: Waiting
cdb414de0edf: Waiting
eceffb9b1d52: Waiting
6219baf3e782: Waiting
c9189dccc6a7: Waiting
93715b5af77e: Waiting
032237575276: Waiting
5f70bf18a086: Waiting
0d81735d8272: Waiting
982549bd6b32: Waiting
8698b31c92d5: Waiting
denied: Token exchange failed for project 'gcp-project-id-example'. Caller does not have permission 'storage.buckets.get'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
我也尝试过:
docker login -u _json_key --password-stdin https://eu.gcr.io < aysc.json:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
但仍然可以使用gcloud docker -- push ...或仅docker push ...获得相同的行为。
我刚刚从零开始创建了一个全新的GCP项目,但我仍然有同样的行为。我认为必须在我的系统上重新配置一些东西。
为什么我收到此错误?
答案 0 :(得分:3)
创建并下载keyfile.json后 我将GOOGLE_APPLICATION_CREDENTIALS导出到文件的位置
export GOOGLE_APPLICATION_CREDENTIALS=/var/lib/jenkins/gcp/keyfile.json
这就是我为我所做的:
docker login -u _json_key -p "`cat ${GOOGLE_APPLICATION_CREDENTIALS}`" https://gcr.io
希望对您有帮助
答案 1 :(得分:1)
似乎使用item存在一些问题(我需要在我的机器上访问docker)。
直接从root运行时效果很好......所以可能是一个错误。
我认为这是由以前服务帐户的缓存引起的(请参阅此处https://github.com/kubernetes/kubernetes/issues/34395)。
答案 2 :(得分:1)
我怀疑问题在于sudo。我能够在不使用sudo的情况下对gcr.io/some-registry/some-image进行“ docker push”。然后突然之间,我无法运行相同的“ docker push”命令,并得到“拒绝:my-gcp-project的令牌交换失败。
答案 3 :(得分:1)
当您以普通用户身份运行gcloud auth configure-docker时,它会将配置文件保存在~/.docker/config.json中-通过root用户或sudo运行时,此文件将不被使用。 ...
sudo -u $USER docker push gcr.io/example/example:latest
答案 4 :(得分:0)
运行此命令以再次激活令牌-
gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io
答案 5 :(得分:0)
当我尝试将Docker镜像从容器优化的操作系统上载到GCR时,我遇到了类似的问题,我运行了以下命令序列,
docker-credential-gcr configure-docker docker login -u _json_key -p "$(cat ./mygcrserviceaccount.JSON)" https://gcr.io docker push gcr.io/project-id/imagename:tage01 它失败,并显示以下错误
denied: Token exchange failed for project 'project-id'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
我尝试通过IAM角色为我的服务帐户授予所有可能的权限,但是由于相同的错误,它会失败。
阅读此issue之后,我进行了以下更改,
rm -rf ~/.docker docker-credential-gcr configure-docker GOOGLE_APPLICATION_CREDENTIALS=/path/to/mygcrserviceaccount.JSON 使用docker命令登录-docker login -u _json_key -p "$(cat ${GOOGLE_APPLICATION_CREDENTIALS})" https://gcr.io
已执行的docker push命令-docker push gcr.io/project-id/imagename:tage01
Voila,它就像一个魅力!
答案 6 :(得分:-1)
在运行docker登录之前,请尝试:
gcloud auth activate-service-account --key-file new-service-account-credentials.json
此操作只需执行一次。