Unable to push images in GCR - “Caller does not have permission 'storage.buckets.create'.”












0














I'm using Standalone Docker credential helper authentication option to push docker images in GCR. Ran following command locally which created config.json file at following path - C:Userssunny.goel.docker



***docker-credential-gcr configure-docker***


Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?



***echo "https://us.gcr.io" | docker-credential-gcr get***


Moreover, where can we find the caller information to assign the required roles (storage admin)? I do see a number of service accounts but am not sure which one is used to create storage buckets?






docker security google-cloud-platform google-container-registry







share|improve this question
























  • It seems at the "config.json" file, we see "token" and when we run "$echo "us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role.
    – Rahi R
    Jan 3 at 0:22
















0














I'm using Standalone Docker credential helper authentication option to push docker images in GCR. Ran following command locally which created config.json file at following path - C:Userssunny.goel.docker



***docker-credential-gcr configure-docker***


Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?



***echo "https://us.gcr.io" | docker-credential-gcr get***


Moreover, where can we find the caller information to assign the required roles (storage admin)? I do see a number of service accounts but am not sure which one is used to create storage buckets?






docker security google-cloud-platform google-container-registry







share|improve this question
























  • It seems at the "config.json" file, we see "token" and when we run "$echo "us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role.
    – Rahi R
    Jan 3 at 0:22














0












0








0







I'm using Standalone Docker credential helper authentication option to push docker images in GCR. Ran following command locally which created config.json file at following path - C:Userssunny.goel.docker



***docker-credential-gcr configure-docker***


Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?



***echo "https://us.gcr.io" | docker-credential-gcr get***


Moreover, where can we find the caller information to assign the required roles (storage admin)? I do see a number of service accounts but am not sure which one is used to create storage buckets?






docker security google-cloud-platform google-container-registry







share|improve this question















I'm using Standalone Docker credential helper authentication option to push docker images in GCR. Ran following command locally which created config.json file at following path - C:Userssunny.goel.docker



***docker-credential-gcr configure-docker***


Then I issued following command to get the credential for us.gcr.io region and noticed that secret returned in output doesn't match with auth attribute value for us.gcr.io region in config.json file. Shouldn't it match ideally ?



***echo "https://us.gcr.io" | docker-credential-gcr get***


Moreover, where can we find the caller information to assign the required roles (storage admin)? I do see a number of service accounts but am not sure which one is used to create storage buckets?






docker security google-cloud-platform google-container-registry




docker security google-cloud-platform google-container-registry






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 2 at 12:14









alp

393




393










asked Dec 28 '18 at 0:41









Sunny Goel

2316




2316












  • It seems at the "config.json" file, we see "token" and when we run "$echo "us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role.
    – Rahi R
    Jan 3 at 0:22


















  • It seems at the "config.json" file, we see "token" and when we run "$echo "us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role.
    – Rahi R
    Jan 3 at 0:22
















It seems at the "config.json" file, we see "token" and when we run "$echo "us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role.
– Rahi R
Jan 3 at 0:22




It seems at the "config.json" file, we see "token" and when we run "$echo "us.gcr.io" | docker-credential-gcr get", it returns "secret". Also, the error you are getting seems like an issue with cloud IAM permission. You can run "$gcloud auth list" to find the active account and see if that account has "Storage Admin" role.
– Rahi R
Jan 3 at 0:22












1 Answer
1






active

oldest

votes


















1














Have you ran docker-credential-gcr gcr-login? If you have done so, it should use your account to access the storage. If not, do you have gcloud installed and logged in?



Once credential helper is set in your config.json, you should see something like:

"credHelpers": { "us.gcr.io": "gcr", "gcr.io": "gcr", ... }



If you have that, then docker would ignore auths attribute.






share|improve this answer





















  • Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
    – Sunny Goel
    Dec 28 '18 at 19:34












  • Moreover, what's the purpose of auths attribute then ?
    – Sunny Goel
    Dec 28 '18 at 19:36










  • What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
    – shou3301
    Jan 2 at 19:49










  • You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
    – Sunny Goel
    2 days ago













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53952448%2funable-to-push-images-in-gcr-caller-does-not-have-permission-storage-buckets%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Have you ran docker-credential-gcr gcr-login? If you have done so, it should use your account to access the storage. If not, do you have gcloud installed and logged in?



Once credential helper is set in your config.json, you should see something like:

"credHelpers": { "us.gcr.io": "gcr", "gcr.io": "gcr", ... }



If you have that, then docker would ignore auths attribute.






share|improve this answer





















  • Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
    – Sunny Goel
    Dec 28 '18 at 19:34












  • Moreover, what's the purpose of auths attribute then ?
    – Sunny Goel
    Dec 28 '18 at 19:36










  • What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
    – shou3301
    Jan 2 at 19:49










  • You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
    – Sunny Goel
    2 days ago


















1














Have you ran docker-credential-gcr gcr-login? If you have done so, it should use your account to access the storage. If not, do you have gcloud installed and logged in?



Once credential helper is set in your config.json, you should see something like:

"credHelpers": { "us.gcr.io": "gcr", "gcr.io": "gcr", ... }



If you have that, then docker would ignore auths attribute.






share|improve this answer





















  • Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
    – Sunny Goel
    Dec 28 '18 at 19:34












  • Moreover, what's the purpose of auths attribute then ?
    – Sunny Goel
    Dec 28 '18 at 19:36










  • What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
    – shou3301
    Jan 2 at 19:49










  • You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
    – Sunny Goel
    2 days ago
















1












1








1






Have you ran docker-credential-gcr gcr-login? If you have done so, it should use your account to access the storage. If not, do you have gcloud installed and logged in?



Once credential helper is set in your config.json, you should see something like:

"credHelpers": { "us.gcr.io": "gcr", "gcr.io": "gcr", ... }



If you have that, then docker would ignore auths attribute.






share|improve this answer












Have you ran docker-credential-gcr gcr-login? If you have done so, it should use your account to access the storage. If not, do you have gcloud installed and logged in?



Once credential helper is set in your config.json, you should see something like:

"credHelpers": { "us.gcr.io": "gcr", "gcr.io": "gcr", ... }



If you have that, then docker would ignore auths attribute.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 28 '18 at 16:37









shou3301

1049




1049












  • Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
    – Sunny Goel
    Dec 28 '18 at 19:34












  • Moreover, what's the purpose of auths attribute then ?
    – Sunny Goel
    Dec 28 '18 at 19:36










  • What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
    – shou3301
    Jan 2 at 19:49










  • You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
    – Sunny Goel
    2 days ago




















  • Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
    – Sunny Goel
    Dec 28 '18 at 19:34












  • Moreover, what's the purpose of auths attribute then ?
    – Sunny Goel
    Dec 28 '18 at 19:36










  • What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
    – shou3301
    Jan 2 at 19:49










  • You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
    – Sunny Goel
    2 days ago


















Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
– Sunny Goel
Dec 28 '18 at 19:34






Hi @shou3301, Thanks for your response. I ran "docker-credential-gcr gcr-login" as a backup option to push images in GCR. Yes, it used my account to access the storage. I can see credHelpers object in config.json file but it's throwing an error that "Caller doesn't have permission to create or get storage buckets" . Which account is used to create/get the bucket in this case?
– Sunny Goel
Dec 28 '18 at 19:34














Moreover, what's the purpose of auths attribute then ?
– Sunny Goel
Dec 28 '18 at 19:36




Moreover, what's the purpose of auths attribute then ?
– Sunny Goel
Dec 28 '18 at 19:36












What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
– shou3301
Jan 2 at 19:49




What do you mean by running docker-credential-gcr gcr-login as a backup option? What's your first option? If it uses your account to access the storage, it should use the same account (your account) to create the bucket. Definitely check if you have permission to do so in IAM.
– shou3301
Jan 2 at 19:49












You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
– Sunny Goel
2 days ago






You are right.. I was thinking in a different direction. docker-credential-gcr is GCR's standalone, gcloud SDK independent Docker credential helper. Post configuring the docker CLI using following command (docker-credential-gcr configure-docker), we need to run following command (docker-credential-gcr gcr-login) as well to authenticate with GCR.
– Sunny Goel
2 days ago




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53952448%2funable-to-push-images-in-gcr-caller-does-not-have-permission-storage-buckets%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Monofisismo

Image
Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
Read more

Angular Downloading a file using contenturl with Basic Authentication

Image
0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
Read more

Olmecas

Image
Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
Read more