How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository

Easiest way to install Docker in Ubuntu is to use snap. But then when you try to pull/push any images from Google Cloud Platform (GCP) recommended way of authorisation does not work:

jhartman@docker-mtx:~$ gcloud config configurations list
NAME               IS_ACTIVE  ACCOUNT                                    PROJECT                       COMPUTE_DEFAULT_ZONE  COMPUTE_DEFAULT_REGION
cloudlab2-gke  True       jarek.hartman  cloudlab2  europe-west3-a        europe-west3

jhartman@docker-mtx:~$ gcloud auth configure-docker
WARNING: Your config file at [/home/jhartman/.docker/config.json] contains these credential helper entries:

  "credHelpers": {
    "": "gcloud"

Here problems start:

jhartman@docker-mtx:~$ docker pull
Error response from daemon: Head "": denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/..." (or it may not exist)

At same time, access through gcloud was perfectly fine.


The problem in Ubuntu is caused by the fact that Docker (containerd) config is not in ~/.docker/config.json but in ~/snap/docker/current/.docker/config.json hence updates done by gcloud during authorisation were pointless…

Workaround would be:

jhartman@docker-mtx:~$ gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin
WARNING! Your password will be stored unencrypted in /home/jhartman/snap/docker/1690/.docker/config.json.
Configure a credential helper to remove this warning. See

And then pull/push working like a charm:

jhartman@docker-mtx:~$ docker pull
5231: Pulling from
3a4f63a9dc19: Pull complete
1cd88f0a187e: Pull complete
33caad1a25ea: Pull complete
bfb8d2741ff0: Pull complete
2df8449effdc: Pull complete
8a4655bb8125: Pull complete
dc98993f639a: Pull complete
a08d68e75306: Pull complete
3d670ad44e40: Pull complete
91166be76bdb: Pull complete
d4a24c5dd40b: Pull complete
575366bf6fbf: Pull complete
bd8e088245b3: Pull complete
6bc8a88dc370: Pull complete
bcf90c1eb11d: Pull complete
d51ef5ba66eb: Pull complete
89c850dd2670: Pull complete
3d7de77cc147: Pull complete
8a2cc59b59e7: Pull complete
b32d2ad7cedb: Pull complete
bb06b45c3cb6: Pull complete
Digest: sha256:c936ba84a630e20a8e0d9866b7841deebdeb76923881a783111bd661a9a4fa26
Status: Downloaded newer image for

Update August 2023

After 18 months from writing this post, I’m 100% convinced that the best way to deal with Docker in Ubuntu is to get rid of Docker provided through Snap as quick as possible and switch to the official Docker-ce. Just follow the steps from , spares a lot of issues.

How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository
Tagged on:         

5 thoughts on “How to fix Permission “artifactregistry.repositories.downloadArtifacts” denied on resource on Ubuntu when pulling from Google Artifact repository

  • 2022-06-05 at 23:27

    Thanks It has worked now after wasting two days on it.

  • 2022-09-15 at 08:10

    This is awesome! I was stuck for a couple hours – this saved me!

  • 2022-11-11 at 09:50

    Man, next time, put some links so I can buy you a coffee. You saved my life!

    • 2024-02-24 at 19:04

      Hah! Thanks for the inspiration, added a link

  • 2023-03-07 at 17:24

    Thanks a lot for the important findings that saved my life!

    To add on, this problem happened in GCP ubuntu system, and you have to login using root, because the config is saved in root folder
    I realised this only when I used docker login and it prompted with a warning like
    “WARNING! Your password will be stored unencrypted in /root/snap/docker/2343/.docker/config.json.”
    So this is very bad that the docker config is saved in not only root folder and snap version of docker


Leave a Reply

Your email address will not be published. Required fields are marked *