Permission artifactregistry.repositories.uploadArtifacts denied on resource using github actions

Asked 25/3, 2023 at 7:12 Answered 16/5, 2024 at 18:40

google-cloud-platform github-actions google-artifact-registry

I am trying to push docker container to Artifact Registry on GCP but I got an error on step Push Docker Image to Artifact Registry

denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/PROJECT_ID/locations/asia-south1/repositories/images" (or it may not exist) Error: Process completed with exit code 1.

name: Build image and push to Artifact Registry of GCP
on: 
  push:
    branches: 
      - master
 
jobs:
  build-push-artifact:
    name : Build and push Artifact Registry
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - id: 'auth'
      uses: 'google-github-actions/auth@v1'
      with:
        credentials_json: '${{ secrets.ACCOUNT_KEY }}'

    - name: 'Set up Cloud SDK'
      uses: 'google-github-actions/setup-gcloud@v1'

    - name: 'Use gcloud CLI'
      run: 'gcloud info'

    - name: build Docker Image
      run: docker build -t MY_IMAGE:latest .
    
    - name: Configure Docker Client of Gcloud
      run:  |-
        gcloud auth configure-docker --quiet
        gcloud auth configure-docker asia-south1-docker.pkg.dev --quiet
    
    - name: Push Docker Image to Artifact Registry 
      env:
        GIT_TAG: v0.1.0
      run:  |-
        docker tag MY_IMAGE:latest asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:latest
        docker tag MY_IMAGE:latest asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:$GIT_TAG
        docker push asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:latest
        docker push asia-south1-docker.pkg.dev/PROJECT_ID/images/MY_IMAGE:$GIT_TAG

I also added the Artifact Registry Write principal to repository with service email.Every other step execute successfully except last one. How can I fix it?

Kaltman answered 25/3, 2023 at 7:12 Comment(4)

Nikhil Kumar there are two possibilities for this one you might have not provided sufficient permissions but that’s not true in this case so ruling it out the second case is that the details you are passing in the pipelines might not be correct for example some human errors while entering project ID and image name, from the pipeline code I can see that you are passing these details through variables so if that’s the case you should be using $ symbol before the variable for it’s value to get reflected in the pipeline. Example: projectid = 1234 you should be using $projectid in the link – Fullfaced 26/3, 2023 at 10:33

@KranthiveerDontineni PROJECT_ID , MY_IMAGE and others are only for demonstration purpose. I also try with hardcoded value but its not working. can you please explain the first possibility I mean which permission require in this situation. – Kaltman 28/3, 2023 at 8:12

I try Container registry instead of Artifact registry by changing last step with :docker tag MY_IMAGE:latest gcr.io/PROJECT_ID/MY_IMAGE:latest docker tag MY_IMAGE:latest gcr.io/PROJECT_ID/MY_IMAGE:$GIT_TAG docker push gcr.io/PROJECT_ID/MY_IMAGE:latest docker push gcr.io/PROJECT_ID/MY_IMAGE:$GIT_TAG and it worked – Kaltman 28/3, 2023 at 8:25

Verify the URL that you used in image tag is correct. This error is misleading as one first think it's related to permissions but probably is because of a bad repository URL. I was getting this error while using Cloud Build, but default permissions allow uploading images to Artifacts Registry. Turns out that I was using "id" attribute from "data.google_project" Terraform, but this returns "projects/PROJECT_ID" instead of "PROJECT_ID", so, I was bad rendering "$REGION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY_ID" into "$REGION-docker.pkg.dev/projects/$PROJECT_ID/$REPOSITORY_ID". Hope this helps. – Catwalk 13/4, 2023 at 15:53

Ok, I spent a lot of time on this now and there are two possible solutions:

Log into gcloud: gcloud auth login
Configure docker: gcloud auth configure-docker europe-west1-docker.pkg.dev (make sure to specify appropriate region)

The second one did it for me.

Alcazar answered 22/4, 2023 at 9:49 Comment(8)

Wow can't believe I was just not logged in! – Ephebe 2/6, 2023 at 20:19

Great answer. However I needed to use the "europe" region to push to Artifact Registry and that confused me a bit. In case anybody else get the same issue the error was

denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/<PROJECT ID>/locations/europe/repositories/eu.gcr.io"

And I fixed it with: gcloud auth configure-docker europe-docker.pkg.dev – Outgeneral 20/6, 2023 at 13:45

FYI, this is documented at cloud.google.com/artifact-registry/docs/docker/… – Dehorn 26/6, 2023 at 1:29

Sorry, but where is this mentioned that you should or have to use 'europe' region in the above document, 'europe' is used just as an example. – Upchurch 26/6, 2023 at 9:12

Neither of these did it for me. It's still saying denied on docker push and I'm a project owner and gcloud auth list shows it's using my account. – Nebulize 24/8, 2023 at 15:7

Another suggestion: add gcloud/bin/docker-credential-gcloud to your system path. Otherwise the permission denied error occurs. – Nomen 1/10, 2023 at 1:30

Thanks second option works for me, I get my region in SETUP INTRUCTIONS. :) – Hienhieracosphinx 20/3, 2024 at 16:2

The second one did the job! – Eckhardt 6/6, 2024 at 9:50

Finally this worked for me. I was also facing above issue for Artifact registry.

So before executing docker push, I did authentication. This step is not exactly mentioned in docs but this worked for me.

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://us-central1-docker.pkg.dev

Note:- change your region.

Thermoelectricity answered 1/9, 2023 at 11:24 Comment(1)

Though I did gcloud auth login, I couldn't pipe the password. So I did 2 step - 1. gcloud auth print-access-token and 2. docker login -u oauth2accesstoken https://us-central1-docker.pkg.dev and pasted the token that I got from Step 1. – Smuts 31/1, 2024 at 0:12

If above solution by Roman didn't solve the issue, you should check the Roles assigned to the user through which you are trying to push the images to registry.

IAM Policy Troubleshooter can help in this, for example you can provide your User Email as Principal, Resource you wanna access (in this case the Registry), and the permission which is expected ('uploadArtifacts' in this case):

Upchurch answered 26/6, 2023 at 11:58 Comment(0)

One more error scenario and how I fixed this error:

If you had installed docker via snap (on Ubuntu), this version of docker looks for config file at a different path and will not take config file updated by gcloud auth configure-docker... step which updates the docker config file at ~/.docker/config.json.

In my case, I uninstalled the snap version and re-installed docker via the helper scripts given on Docker website. Alternatively you can copy the updated config to the location where the snap's docker is installed.

Foresheet answered 11/7, 2023 at 12:2 Comment(0)

The error indicates one of the following:

The principal (GitHub Actions Service Account) does not have sufficient permissions (i.e. roles/artifactregistry.writer)
or GHA isn't logged in into Docker

In order to ensure GHA is logged in into Google Artifact Registry, you can use docker/login-action@v3 that supports authentication with both Workload Identity Federation:

name: ci

on:
  push:
    branches: main

jobs:
  login:
    runs-on: ubuntu-latest
    steps:
      -
        name: Authenticate to Google Cloud
        id: auth
        uses: google-github-actions/auth@v1
        with:
          token_format: access_token
          workload_identity_provider: <workload_identity_provider>
          service_account: <service_account>
      -
        name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: <location>-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.auth.outputs.access_token }}

Lampion answered 16/10, 2023 at 16:9 Comment(1)

In my case, I just needed to grant roles/artifactregistry.writer to my service account and things started to work. – Barboza 30/4, 2024 at 18:8

If you are using WSL2, are you sure you installed gcloud correctly, have the necessary permissions and are still having problems, follow these steps:

https://mcmap.net/q/428662/-why-is-my-gcloud-command-suddenly-very-slow-inside-wsl2
Install gcloud cli
gcloud init
gcloud auth configure-docker us-central1-docker.pkg.dev (replace the region)

It works for me! ;)

Ricardoricca answered 16/5, 2024 at 18:40 Comment(1)

Brother, you're a live saver. This answer deserves a pint of gold – Sciamachy 20/5, 2024 at 4:53

I granted some permissions to ****@cloudbuild.gserviceaccount.com, i.e to cloud build service account that was provided by Google itself

Dejadeject answered 21/1, 2024 at 18:32 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags