Permission "artifactregistry.repositories.downloadArtifacts" denied on resource

Asked 15/5, 2022 at 20:0 Answered 18/12, 2023 at 20:16

Solved python google-cloud-platform google-cloud-ml google-cloud-vertex-ai docker-push

While the artifact repository was successfully creating, running a docker push to push the image to the google artifact registry fails with a permissions error even after granting all artifact permissions to the accounting I am using on gcloud cli.

Command used to push image:

docker push us-central1-docker.pkg.dev/project-id/repo-name:v2

Error message:

The push refers to repository [us-central1-docker.pkg.dev/project-id/repo-name]
6f6f4a472f31: Preparing
bc096d7549c4: Preparing
5f70bf18a086: Preparing
20bed28d4def: Preparing
2a3255c6d9fb: Preparing
3f5d38b4936d: Waiting
7be8268e2fb0: Waiting
b889a93a79dd: Waiting
9d4550089a93: Waiting
a7934564e6b9: Waiting
1b7cceb6a07c: Waiting
b274e8788e0c: Waiting
78658088978a: Waiting
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/project-id/locations/us-central1/repositories/repo-name" (or it may not exist)

Councilman answered 15/5, 2022 at 20:0 Comment(3)

Can you share the command/code you used to push your image to the artifact registry? And the exact error message you encounter? – Veliz 16/5, 2022 at 1:2

@ScottB: I've added the push command and error message to the text of the question. Thanks. – Councilman 16/5, 2022 at 2:23

Have you authenticated Docker (!) to Artifact Registry? It needs to be configured via one of methods described in Setting up authentication for Docker – Alexandriaalexandrian 16/5, 2022 at 2:58

I was able to recreate your use case. This happens when you are trying to push an image on a repository in which its specific hostname (associated with it's repository location) is not yet added to the credential helper configuration for authentication. You may refer to this Setting up authentication for Docker as also provided by @DazWilkin in the comments for more details.

In my example, I was trying to push an image on a repository that has a location of us-east1 and got the same error since it is not yet added to the credential helper configuration.

And after I ran the authentication using below command (specifically for us-east1 since it is the location of my repository), the image was successfully pushed:

gcloud auth configure-docker us-east1-docker.pkg.dev

QUICK TIP: You may get your authentication command specific for your repository when you open your desired repository in the console, and then click on the SETUP INSTRUCTIONS.

Veliz answered 16/5, 2022 at 6:40 Comment(6)

I am getting this same issue, but mine is not a command from my computer. It is cloudbuild trying to access atifact repository. Any ideas for what might be the issue? – Cosper 27/6, 2022 at 17:3

Did you find a solution David? My situation is similar but from an app running in GKE. – Rothenberg 16/7, 2022 at 2:27

@ScottB Thank you very much, especially mentioning the QUICK TIP in your answer. – Markham 21/9, 2022 at 11:21

Running gcloud components update and then following these steps solved the problem for me. Thanks! – Reflexion 16/10, 2022 at 18:35

in my case the displayed authentication command host was wrong – Abomb 10/3, 2023 at 9:47

Permission "artifactregistry.repositories.downloadArtifacts" denied while pushing? That's strange. Also docker-credential-gcr is the recommended way at least on COS. And most likely in other cases too. – Fulmer 18/12, 2023 at 20:25

For me it was an issue with config file location for ubuntu. Below link helped me to resolve the issue

https://jhartman.pl/2022/03/23/how-to-fix-permission-artifactregistry-repositories-downloadartifacts-denied-on-resource-on-ubuntu-when-pulling-from-google-artifact-repository/

Continence answered 25/7, 2022 at 15:4 Comment(1)

Yeah, it took me a while to get to this :-) – Bitter 2/6, 2023 at 11:30

Another issue might also be that the gcp project currently set in your gcloud config is not the one that contains the repo you are trying to push the image to. e.g trying to push to europe-west1-docker.pkg.dev/project123/<repo_name>/<app_name> but the gcloud config has project456 set. To check the project set in the gcloud config, run the following command.

gcloud config configurations list

In order to update the project to the one that has that repo run the following command.

gcloud config set project <project_id>

Hazeghi answered 27/2, 2023 at 17:35 Comment(5)

Thanks this one caught me out. It should include this in the gcp docs! – Commandant 3/12, 2023 at 21:54

I don't think this can lead to the artifactregistry.repositories.downloadArtifacts message. – Fulmer 18/12, 2023 at 20:28

@Fulmer It did. I tried it severally on my machine before posting the solution. However I am still open to any extra info you might want to offer on the problem – Hazeghi 19/12, 2023 at 2:36

Don't take me wrong. I didn't mean that you didn't run into the issue. But think about it, being told that you lack a download permission when you're trying to upload something is strange, isn't it? Also I just tried it, and it says, that the repository is not found. And if I create the repository in the destination project, it uploads the image. You can confirm it yourself. So maybe there's some important detail that is missing from your description? Or the way it works changed? – Fulmer 23/12, 2023 at 15:22

Also do note the second case in the same gist. I make docker use a service account with no permissions at all, and it says that it needs artifactregistry.repositories.uploadArtifacts (not artifactregistry.repositories.downloadArtifacts). – Fulmer 23/12, 2023 at 16:27

As pointed by @saurabh-umathe, the solution is:

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin europe-west3-docker.pkg.dev

PS: Thanks referring to my page!

Bitter answered 2/6, 2023 at 11:32 Comment(0)

Following GCloud Standalone Cred solved it for me

Logged in Cloud Shell Editor
Connect to GKE: gcloud container clusters get-credentials <cluster-name> --region=us-east1-b
SSH in the cluster gcloud compute ssh <node-pool eg: gke-my-cluster-default-pool-2121ca21-rn93> --zone us-east1-b
Ran docker-credential-gcr configure-docker --registries=us-east1-docker.pkg.dev

Then was able to docker pull <image link eg: us-east1-docker.pkg.dev/csci-5409-cloud-computing/container1/my-app>

Gile answered 17/6, 2023 at 21:25 Comment(0)

In my case the issue was with the GCE instance not being associated with any service accounts. To fix it:

resource "google_compute_instance" "my-prj" {
  ...
  service_account {
    email = google_service_account.my-prj.email
    scopes = ["cloud-platform"]
  }
}

resource "google_service_account" "my-prj" {
  account_id = "my-prj"
}

resource "google_artifact_registry_repository_iam_member" "my-prj" {
  location = google_artifact_registry_repository.my-prj.location
  repository = google_artifact_registry_repository.my-prj.name
  role = "roles/artifactregistry.reader"
  member = "serviceAccount:${google_service_account.my-prj.email}"
}

Also the instance had no external IP, but I don't think that's relevant here.

Fulmer answered 18/12, 2023 at 20:16 Comment(0)

Recommended topics

Hot tags