I have images on google container registry moved from docker hub. I have my docker-compose.yml. compose file is successfully pull the images from docker hub. But I can't pull from google container registry.
I login in using this command and success.
cat service-account.json | docker login -u _json_key --password-stdin asia.gcr.io
docker-compose up
ERROR: pull access denied for [my_image_name], repository does not exist or may require 'docker login': denied: requested access to the resource is denied
I even copy the pull command from container registry. But same error. So that mean my image name is same in docker compose and pull command from google registry.
docker pull asia.gcr.io/projectid/myimagename/data-api:latest
CodePudding user response:
My preference here is to use my personal (gcloud config get-value account) account's credentials as it's easiest:
gcloud auth print-access-token \
| docker login \
--username=oauth2accesstoken \
--password-stdin \
asia.gcr.io
If you use a Service Account (key), you'll need to ensure that the Account has suitable permissions (for push|pull you'll need roles/storage.Admin?) on the project (!) or, if you'd prefer the bucket that represents the registry.
One other challenge is, if you're using Snaps (?) there's possibly a partition between the Docker runtime's credentials store and those being used by Docker Compose.
I was unclear whether you can
docker pullfrom the registry?
CodePudding user response:
If you look at the service-account.json file, you will see that it's not your "password" in the traditional sense. Hence piping it in as a stdin password will not work.
I would recommend using the gcloud credential helper -- you can login as yourself if you have the perms or you can use a service account with its credentials.json file -- which appears to be your case there. Be sure to have the correct IAM perms on your service account.
Pull (read) only:
- roles/storage.objectViewer
Push (write) and Pull:
- roles/storage.legacyBucketWriter