Pull private docker images from Google Container Registry w/o gcloud
B

2

14

I'm using shippable to push private docker images to the Google Container Registry that I then want to pull from either locally on a laptop, or inside an instance on the Google Compute Engine.

I know that the command gcloud preview docker pull gcr.io/projectID/image-name works, but I can't rely on gcloud being installed on every machine that someone may need to pull the image from.

If I run docker-compose up -d on my machine then I get the following error:

Pulling image gcr.io/projectID/image-name...
Pulling repository gcr.io/projectID/image-name
Traceback (most recent call last):
  File "<string>", line 3, in <module>
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 31, in main
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 21, in sys_dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 27, in dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.docopt_command", line 24, in dispatch
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.command", line 59, in perform_command
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.cli.main", line 464, in up
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.project", line 208, in up
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 214, in recreate_containers
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.service", line 199, in create_container
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 37, in stream_output
  File "/compose/build/docker-compose/out00-PYZ.pyz/compose.progress_stream", line 50, in print_output_event
compose.progress_stream.StreamOutputError: Error: Status 403 trying to pull repository projectID/image-name: "Access denied."

Is there any way to authenticate or access the image with some form of OAuth or keys? I want to avoid having to install gcloud on every machine that will ever need to pull the image, and the images have to remain private.

I have tried gcloud preview docker -a but that is not the solution I'm looking for.

Thank you in advance for any help.

Basketry answered 18/6, 2015 at 22:21 Comment(6)
Have you tried this: #29292076Teodoor
Yes, and your solution works on the GCE (Thank you!), however I cannot apply it when running on a local machine. There is also the issue that I have to manually authenticate on every GCE instance that is created, which is not scalable.Basketry
Locally, you can use still use "docker login", but substitute "gcloud auth print-access-token" for the curl (or gcloud docker -a).Teodoor
Regarding authentication, yes. You might consider trying the container-vm image as your host image, it has a crontab that keeps these credentials up to date automatically (you don't need to use the manifest for this). see: cloud.google.com/compute/docs/containers/container_vmsTeodoor
have you figured how to do this? Using CoreOS here and no python, no gcloud option as i need to pull the images on the host.Phyto
Possible duplicate of Access google container registry without the gcloud clientProselytize
F
14

If you want to work with the Google Container Registry on a machine not in the Google Compute Engine (i.e. local) using vanilla docker you can follow Google's instructions.

The two main methods are using an access token or a JSON key file.

Note that _token and _json_key are the actual values you provide for the username (-u)

Access Token

$ docker login -e [email protected] -u _token -p "$(gcloud auth print-access-token)" https://gcr.io

JSON Key File

$ docker login -e [email protected] -u _json_key -p "$(cat keyfile.json)" https://gcr.io

To create a key file you can follow these instructions:

  1. Open the Credentials page.
  2. To set up a new service account, do the following:
    • Click Add credentials > Service account.
    • Choose whether to download the service account's public/private key as a standard P12 file, or as a JSON file that can be loaded by a Google API client library.
    • Your new public/private key pair is generated and downloaded to your machine; it serves as the only copy of this key. You are responsible for storing it securely.

You can view Google's documentation on generating a key file here.

Freewheeling answered 18/11, 2015 at 4:22 Comment(2)
Does _json_key come from json file? Any idea which field does it correspond to?Swollen
_json_key is a literal value. It's signaling to GCR what to expect from the -p flag.Freewheeling
I
1

You can also do the following then also it would work.

cat service-account.json | docker login -u _json_key --password-stdin https://gcr.io
Ihram answered 9/12, 2021 at 8:33 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.