Google Cloud Container注册表/工件注册表权限

时间:2020-09-30 16:00:06

标签: docker google-cloud-platform google-container-registry

我正在尝试使用Google Cloud SDK将容器推送到Windows 10上的Google Cloud Container Registry或Google Cloud Artifact Registry。我从两个服务都收到类似的权限错误,但是我似乎无法弄清楚原因。对于Container Registry,在推送时我得到:

> docker push us.gcr.io/{PROJECT}/{PATH}/{CONTAINER}:{TAG}
unauthorized: You don't have the needed permissions to perform this operation, 
and you may have invalid credentials. To authenticate your request, follow the 
steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

在Artifact Registry上,我得到:

> docker push northamerica-northeast1-docker.pkg.dev/{PROJECT}/{REPOSITORY}/{CONTAINER}:{TAG}
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource 
"projects/opallabs/locations/northamerica-northeast1/repositories/domar" (or it may not exist)

我已经跑过gcloud initgcloud auth configure-docker几次了。我可以使用gcloud从命令行创建和编辑Google Cloud资源,而不会遇到任何麻烦。我是Google Cloud项目的所有者,但是为了安全起见,我为自己分配了存储管理员,Artifact Registry管理员,Artifact Registry信息库管理员。但是,当我运行gcloud auth print-access-token并使用https://www.googleapis.com/oauth2/v1/tokeninfo端点分析令牌时,出现的唯一作用域是:

{
  ...
  "scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud- 
  platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/compute 
  https://www.googleapis.com/auth/accounts.reauth",
  ...
}

根据troubleshooting link,,可能缺少https://www.googleapis.com/auth/devstorage.read_writehttps://www.googleapis.com/auth/devstorage.full_control范围,但是我不确定为什么会丢失它们。我按照设置说明在最后一台Windows 10计算机上进行了此操作,但是在新计算机上进行的相同设置似乎无效。

我的Docker凭证帮助者条目:

{
  "credHelpers": {
    "gcr.io": "gcloud",
    "us.gcr.io": "gcloud",
    "eu.gcr.io": "gcloud",
    "asia.gcr.io": "gcloud",
    "staging-k8s.gcr.io": "gcloud",
    "marketplace.gcr.io": "gcloud",
    "northamerica-northeast1-docker.pkg.dev": "gcloud",
    "us-central1-docker.pkg.dev": "gcloud"
  }
}

> docker-credential-gcloud list
{
  "https://asia.gcr.io": "_dcgcloud_token",
  "https://eu.gcr.io": "_dcgcloud_token",
  "https://gcr.io": "_dcgcloud_token",
  "https://marketplace.gcr.io": "_dcgcloud_token",
  "https://staging-k8s.gcr.io": "_dcgcloud_token",
  "https://us.gcr.io": "_dcgcloud_token"
}

gcloud -v
Google Cloud SDK 311.0.0
Beta 2020.09.18
bq 2.0.60
核心2020.09.18
gsutil 4.53

docker -v
Docker版本19.03.13,内部版本4484c46d9d

1 个答案:

答案 0 :(得分:1)

感谢link提供的Muss Rahman,通过转到Docker Desktop中的“设置”->“命令行”,然后取消选中“启用云体验”开关,我能够进行身份验证。 docker manual中似乎没有该设置,所以我不确定它如何影响身份验证,我所知道的是,对于Docker版本19.03.13,如果要使用gcloud进行身份验证,请在Windows上构建4484c46d9d需要禁用。

相关问题
最新问题