Easiest way to install Docker in Ubuntu is to use snap. But then when you try to pull/push any images from Google Cloud Platform (GCP) recommended way of authorisation does not work:
jhartman@docker-mtx:~$ gcloud config configurations list
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
cloudlab2-gke True jarek.hartman cloudlab2 europe-west3-a europe-west3
jhartman@docker-mtx:~$ gcloud auth configure-docker europe-west3-docker.pkg.dev
WARNING: Your config file at [/home/jhartman/.docker/config.json] contains these credential helper entries:
{
"credHelpers": {
"europe-west3-docker.pkg.dev": "gcloud"
}
}Here problems start:
jhartman@docker-mtx:~$ docker pull europe-west3-docker.pkg.dev/image:tag
Error response from daemon: Head "https://europe-west3-docker.pkg.dev/v2/...": denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/..." (or it may not exist)
At same time, access through gcloud was perfectly fine.
Solution
The problem in Ubuntu is caused by the fact that Docker (containerd) config is not in ~/.docker/config.json but in ~/snap/docker/current/.docker/config.json hence updates done by gcloud during authorisation were pointless…
Workaround would be:
jhartman@docker-mtx:~$ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin europe-west3-docker.pkg.dev
WARNING! Your password will be stored unencrypted in /home/jhartman/snap/docker/1690/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-storeAnd then pull/push working like a charm:
jhartman@docker-mtx:~$ docker pull europe-west3-docker.pkg.dev/image:tag
5231: Pulling from europe-west3-docker.pkg.dev/image:tag
3a4f63a9dc19: Pull complete
1cd88f0a187e: Pull complete
33caad1a25ea: Pull complete
bfb8d2741ff0: Pull complete
2df8449effdc: Pull complete
8a4655bb8125: Pull complete
dc98993f639a: Pull complete
a08d68e75306: Pull complete
3d670ad44e40: Pull complete
91166be76bdb: Pull complete
d4a24c5dd40b: Pull complete
575366bf6fbf: Pull complete
bd8e088245b3: Pull complete
6bc8a88dc370: Pull complete
bcf90c1eb11d: Pull complete
d51ef5ba66eb: Pull complete
89c850dd2670: Pull complete
3d7de77cc147: Pull complete
8a2cc59b59e7: Pull complete
b32d2ad7cedb: Pull complete
bb06b45c3cb6: Pull complete
Digest: sha256:c936ba84a630e20a8e0d9866b7841deebdeb76923881a783111bd661a9a4fa26
Status: Downloaded newer image for europe-west3-docker.pkg.dev/image:tag
How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository
Thanks It has worked now after wasting two days on it.
This is awesome! I was stuck for a couple hours – this saved me!
Man, next time, put some links so I can buy you a coffee. You saved my life!
Thanks a lot for the important findings that saved my life!
To add on, this problem happened in GCP ubuntu system, and you have to login using root, because the config is saved in root folder
I realised this only when I used docker login and it prompted with a warning like
“WARNING! Your password will be stored unencrypted in /root/snap/docker/2343/.docker/config.json.”
So this is very bad that the docker config is saved in not only root folder and snap version of docker