How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository

Easiest way to install Docker in Ubuntu is to use snap. But then when you try to pull/push any images from Google Cloud Platform (GCP) recommended way of authorisation does not work:

jhartman@docker-mtx:~$ gcloud config configurations list
NAME               IS_ACTIVE  ACCOUNT                                    PROJECT                       COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
cloudlab2-gke  True       jarek.hartman  cloudlab2  europe-west3-a        europe-west3

jhartman@docker-mtx:~$ gcloud auth configure-docker europe-west3-docker.pkg.dev
WARNING: Your config file at [/home/jhartman/.docker/config.json] contains these credential helper entries:

{
  "credHelpers": {
    "europe-west3-docker.pkg.dev": "gcloud"
  }
}

Here problems start:

jhartman@docker-mtx:~$ docker pull europe-west3-docker.pkg.dev/image:tag
Error response from daemon: Head "https://europe-west3-docker.pkg.dev/v2/...": denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/..." (or it may not exist)

At same time, access through gcloud was perfectly fine.

Solution

The problem in Ubuntu is caused by the fact that Docker (containerd) config is not in ~/.docker/config.json but in ~/snap/docker/current/.docker/config.json hence updates done by gcloud during authorisation were pointless…

Workaround would be:

jhartman@docker-mtx:~$ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin europe-west3-docker.pkg.dev
WARNING! Your password will be stored unencrypted in /home/jhartman/snap/docker/1690/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

And then pull/push working like a charm:

jhartman@docker-mtx:~$ docker pull europe-west3-docker.pkg.dev/image:tag
5231: Pulling from europe-west3-docker.pkg.dev/image:tag
3a4f63a9dc19: Pull complete
1cd88f0a187e: Pull complete
33caad1a25ea: Pull complete
bfb8d2741ff0: Pull complete
2df8449effdc: Pull complete
8a4655bb8125: Pull complete
dc98993f639a: Pull complete
a08d68e75306: Pull complete
3d670ad44e40: Pull complete
91166be76bdb: Pull complete
d4a24c5dd40b: Pull complete
575366bf6fbf: Pull complete
bd8e088245b3: Pull complete
6bc8a88dc370: Pull complete
bcf90c1eb11d: Pull complete
d51ef5ba66eb: Pull complete
89c850dd2670: Pull complete
3d7de77cc147: Pull complete
8a2cc59b59e7: Pull complete
b32d2ad7cedb: Pull complete
bb06b45c3cb6: Pull complete
Digest: sha256:c936ba84a630e20a8e0d9866b7841deebdeb76923881a783111bd661a9a4fa26
Status: Downloaded newer image for europe-west3-docker.pkg.dev/image:tag

How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository
Tagged on:         

Leave a Reply

Your email address will not be published.