How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository

Jarek Telco and IT 3 Comments

Easiest way to install Docker in Ubuntu is to use snap. But then when you try to pull/push any images from Google Cloud Platform (GCP) recommended way of authorisation does not work:

jhartman@docker-mtx:~$ gcloud config configurations list
NAME               IS_ACTIVE  ACCOUNT                                    PROJECT                       COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
cloudlab2-gke  True       jarek.hartman  cloudlab2  europe-west3-a        europe-west3

jhartman@docker-mtx:~$ gcloud auth configure-docker europe-west3-docker.pkg.dev
WARNING: Your config file at [/home/jhartman/.docker/config.json] contains these credential helper entries:

{
  "credHelpers": {
    "europe-west3-docker.pkg.dev": "gcloud"
  }
}

Here problems start:

jhartman@docker-mtx:~$ docker pull europe-west3-docker.pkg.dev/image:tag
Error response from daemon: Head "https://europe-west3-docker.pkg.dev/v2/...": denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/..." (or it may not exist)

At same time, access through gcloud was perfectly fine.

Solution

The problem in Ubuntu is caused by the fact that Docker (containerd) config is not in ~/.docker/config.json but in ~/snap/docker/current/.docker/config.json hence updates done by gcloud during authorisation were pointless…

Workaround would be:

jhartman@docker-mtx:~$ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin europe-west3-docker.pkg.dev
WARNING! Your password will be stored unencrypted in /home/jhartman/snap/docker/1690/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

And then pull/push working like a charm:

jhartman@docker-mtx:~$ docker pull europe-west3-docker.pkg.dev/image:tag
5231: Pulling from europe-west3-docker.pkg.dev/image:tag
3a4f63a9dc19: Pull complete
1cd88f0a187e: Pull complete
33caad1a25ea: Pull complete
bfb8d2741ff0: Pull complete
2df8449effdc: Pull complete
8a4655bb8125: Pull complete
dc98993f639a: Pull complete
a08d68e75306: Pull complete
3d670ad44e40: Pull complete
91166be76bdb: Pull complete
d4a24c5dd40b: Pull complete
575366bf6fbf: Pull complete
bd8e088245b3: Pull complete
6bc8a88dc370: Pull complete
bcf90c1eb11d: Pull complete
d51ef5ba66eb: Pull complete
89c850dd2670: Pull complete
3d7de77cc147: Pull complete
8a2cc59b59e7: Pull complete
b32d2ad7cedb: Pull complete
bb06b45c3cb6: Pull complete
Digest: sha256:c936ba84a630e20a8e0d9866b7841deebdeb76923881a783111bd661a9a4fa26
Status: Downloaded newer image for europe-west3-docker.pkg.dev/image:tag

How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository
Tagged on:         

3 thoughts on “How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository

  • Rishi
    2022-06-05 at 23:27
    Permalink

    Thanks It has worked now after wasting two days on it.

    Reply
  • Zeb
    2022-09-15 at 08:10
    Permalink

    This is awesome! I was stuck for a couple hours – this saved me!

    Reply
  • Andy
    2022-11-11 at 09:50
    Permalink

    Man, next time, put some links so I can buy you a coffee. You saved my life!

    Reply

Leave a Reply

Your email address will not be published.