无法从 gcloud compute VM 访问私有容器注册表
Unable to access private container registry from gcloud compute VM
我正在尝试使用服务帐户进行身份验证,从 gcloud VM 的私有 gcloud 注册表中提取容器。 VM 和注册表在同一个项目中。无论我做什么,我总是得到 Error response from daemon: unauthorized
.
XXX@sandbox:~$ gcloud auth configure-docker gcr.io
WARNING: Your config file at [/home/XXX/.docker/config.json] contains these credential helper entries:
{
"credHelpers": {
"gcr.io": "gcloud"
}
}
Adding credentials for: gcr.io
gcloud credential helpers already registered correctly.
XXX@sandbox:~$ sudo docker pull gcr.io/MY-PROJECT-ID/MY-IMAGE:latest
Error response from daemon: unauthorized: You don't have the needed permissions to perform
this operation, and you may have invalid credentials. To authenticate your request, follow
the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
服务帐户具有 gcr.io 存储桶的存储管理员角色:
VM 已启用读写存储访问权限:
VM 已停止,多次重新启动。 Docker 是最新的:
XXX@sandbox:~$ which docker
/usr/bin/docker
XXX@sandbox:~$ sudo docker version
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:26:02 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:24:36 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
我可以使用 JSON 密钥文件使它工作,但不能使用 推荐的 gcloud auth configure-docker
。我想我还需要翻转一些未记录的开关或权限,但我看不到。
您可以将account or the impersonate-service-account传递给命令:
gcloud auth configure-docker --account
gcloud auth configure-docker ----impersonate-service-account
当您使用 sudo 运行 更改环境时,它不会向 gcr.io 进行身份验证,因此未经授权。
我正在尝试使用服务帐户进行身份验证,从 gcloud VM 的私有 gcloud 注册表中提取容器。 VM 和注册表在同一个项目中。无论我做什么,我总是得到 Error response from daemon: unauthorized
.
XXX@sandbox:~$ gcloud auth configure-docker gcr.io
WARNING: Your config file at [/home/XXX/.docker/config.json] contains these credential helper entries:
{
"credHelpers": {
"gcr.io": "gcloud"
}
}
Adding credentials for: gcr.io
gcloud credential helpers already registered correctly.
XXX@sandbox:~$ sudo docker pull gcr.io/MY-PROJECT-ID/MY-IMAGE:latest
Error response from daemon: unauthorized: You don't have the needed permissions to perform
this operation, and you may have invalid credentials. To authenticate your request, follow
the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
服务帐户具有 gcr.io 存储桶的存储管理员角色:
VM 已启用读写存储访问权限:
VM 已停止,多次重新启动。 Docker 是最新的:
XXX@sandbox:~$ which docker
/usr/bin/docker
XXX@sandbox:~$ sudo docker version
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:26:02 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b7f0
Built: Wed Mar 11 01:24:36 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
我可以使用 JSON 密钥文件使它工作,但不能使用 推荐的 gcloud auth configure-docker
。我想我还需要翻转一些未记录的开关或权限,但我看不到。
您可以将account or the impersonate-service-account传递给命令:
gcloud auth configure-docker --account
gcloud auth configure-docker ----impersonate-service-account
当您使用 sudo 运行 更改环境时,它不会向 gcr.io 进行身份验证,因此未经授权。