Permission "artifactregistry.repositories.downloadArtifacts" denied on resource
Question:
While the artifact repository was successfully creating, running a docker push to push the image to the google artifact registry fails with a permissions error even after granting all artifact permissions to the accounting I am using on gcloud cli.
Command used to push image:
docker push us-central1-docker.pkg.dev/project-id/repo-name:v2
Error message:
The push refers to repository [us-central1-docker.pkg.dev/project-id/repo-name]
6f6f4a472f31: Preparing
bc096d7549c4: Preparing
5f70bf18a086: Preparing
20bed28d4def: Preparing
2a3255c6d9fb: Preparing
3f5d38b4936d: Waiting
7be8268e2fb0: Waiting
b889a93a79dd: Waiting
9d4550089a93: Waiting
a7934564e6b9: Waiting
1b7cceb6a07c: Waiting
b274e8788e0c: Waiting
78658088978a: Waiting
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-central1/repositories/repo-name" (or it may not exist)
Answers:
I was able to recreate your use case. This happens when you are trying to push an image on a repository in which its specific hostname (associated with it’s repository location) is not yet added to the credential helper configuration for authentication. You may refer to this Setting up authentication for Docker as also provided by @DazWilkin in the comments for more details.
In my example, I was trying to push an image on a repository that has a location of us-east1 and got the same error since it is not yet added to the credential helper configuration.
And after I ran the authentication using below command (specifically for us-east1 since it is the location of my repository), the image was successfully pushed:
gcloud auth configure-docker us-east1-docker.pkg.dev
QUICK TIP: You may get your authentication command specific for your repository when you open your desired repository in the console, and then click on the SETUP INSTRUCTIONS.
For me it was an issue with config file location for ubuntu. Below link helped me to resolve the issue
Another issue might also be that the gcp project currently set in your gcloud config is not the one that contains the repo you are trying to push the image to. e.g trying to push to europe-west1-docker.pkg.dev/project123/<repo_name>/<app_name> but the gcloud config has project456 set. To check the project set in the gcloud config, run the following command.
gcloud config configurations list
In order to update the project to the one that has that repo run the following command.
gcloud config set project <project_id>
While the artifact repository was successfully creating, running a docker push to push the image to the google artifact registry fails with a permissions error even after granting all artifact permissions to the accounting I am using on gcloud cli.
Command used to push image:
docker push us-central1-docker.pkg.dev/project-id/repo-name:v2
Error message:
The push refers to repository [us-central1-docker.pkg.dev/project-id/repo-name]
6f6f4a472f31: Preparing
bc096d7549c4: Preparing
5f70bf18a086: Preparing
20bed28d4def: Preparing
2a3255c6d9fb: Preparing
3f5d38b4936d: Waiting
7be8268e2fb0: Waiting
b889a93a79dd: Waiting
9d4550089a93: Waiting
a7934564e6b9: Waiting
1b7cceb6a07c: Waiting
b274e8788e0c: Waiting
78658088978a: Waiting
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-central1/repositories/repo-name" (or it may not exist)
I was able to recreate your use case. This happens when you are trying to push an image on a repository in which its specific hostname (associated with it’s repository location) is not yet added to the credential helper configuration for authentication. You may refer to this Setting up authentication for Docker as also provided by @DazWilkin in the comments for more details.
In my example, I was trying to push an image on a repository that has a location of us-east1 and got the same error since it is not yet added to the credential helper configuration.
And after I ran the authentication using below command (specifically for us-east1 since it is the location of my repository), the image was successfully pushed:
gcloud auth configure-docker us-east1-docker.pkg.dev
QUICK TIP: You may get your authentication command specific for your repository when you open your desired repository in the console, and then click on the SETUP INSTRUCTIONS.
For me it was an issue with config file location for ubuntu. Below link helped me to resolve the issue
Another issue might also be that the gcp project currently set in your gcloud config is not the one that contains the repo you are trying to push the image to. e.g trying to push to europe-west1-docker.pkg.dev/project123/<repo_name>/<app_name> but the gcloud config has project456 set. To check the project set in the gcloud config, run the following command.
gcloud config configurations list
In order to update the project to the one that has that repo run the following command.
gcloud config set project <project_id>