[solved] Unable to docker pull from private gcr repo

wojciechka · May 21, 2016, 7:08am

I have been using Docker for quite some while on Linux and I have been using gcr.io private repositories for pre-building certain images periodically. I am now testing moving my development environment to Windows.

It seems Docker for Windows cannot log in to gcr using gcloud tools. Using the tools:

C> gcloud docker -a
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Short-lived access for [‘gcr.io’, ‘us.gcr.io’, ‘eu.gcr.io’, ‘asia.gcr.io’, ‘b.gcr.io’, ‘bucket.gcr.io’, ‘appengine.gcr.io’] configured.

C> docker pull gcr.io/private-repo/private-image
Pulling repository gcr.io/private-repo/private-image
Error: Status 403 trying to pull repository private-repo/private-image: “Unable to access the repository: private-repo/private-imagese verify that it exists and you have permission to access it (no valid credential was supplied).”

I have also tried to manually authenticate - i.e.

C> gcloud auth print-access-token
ya…dA

C> docker login -e account@domain.com -u oauth2accesstoken -p “ya…dA” https://gcr.io
Warning: ‘-e’ is deprecated, it will be removed soon. See usage.
Login Succeeded

C> docker pull gcr.io/private-repo/private-image
Pulling repository gcr.io/private-repo/private-image
Error: Status 403 trying to pull repository private-repo/private-image: “Unable to access the repository: private-repo/private-imagese verify that it exists and you have permission to access it (no valid credential was supplied).”

I have been using the repos and gcloud + docker tools for at least a year on Linux, I have also doublechecked all the account names. I am 100% sure that what I am doing is correct.

Obviously my account and repository information was removed from snippets.

Is there any way in which I can check if the credentials are properly stored? I already found out I cannot SSH to the VM in Hyper-V. Is there any other way to troubleshoot it?

castillobg · May 24, 2016, 12:29am

Same thing here, except I’m trying to push an image.

friism · May 24, 2016, 3:07am

That’s really strange. Out of curiosity, can you check whether docker login and push to private repo works with Docker Hub?

Cached credentials are stored in $HOME\.docker\config.json

Michael

castillobg · May 24, 2016, 3:22am

In my case, changing my tag from a image:version notation to image/version fixed it. Got the idea from https://cloud.google.com/container-registry/docs/pushing#pushing_to_the_registry

wojciechka · May 24, 2016, 7:03am

In my case the contents is as follows:

{
	"auths": {
		"https://appengine.gcr.io": {},
		"https://asia.gcr.io": {},
		"https://b.gcr.io": {},
		"https://bucket.gcr.io": {},
		"https://eu.gcr.io": {},
		"https://gcr.io": {},
		"https://us.gcr.io": {}
	},
	"credsStore": "wincred"
}

I have also tried to docker login to sign in with DockerHub and then push a sample private repo I’ve created. It also seems to fail:

D:\docker\helloworld1>docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username (wojciechka):
Password:
Login Succeeded

D:\docker\helloworld1>docker push wojciechka1/helloworld1:latest
The push refers to a repository [docker.io/wojciechka1/helloworld1]
5f70bf18a086: Preparing
a3b5c80a4eba: Preparing
7f18b442972b: Preparing
3ce512daaf78: Preparing
7aae4540b42d: Preparing
unauthorized: authentication required

After docker login the contents of config.json is:

{
	"auths": {
		"https://appengine.gcr.io": {},
		"https://asia.gcr.io": {},
		"https://b.gcr.io": {},
		"https://bucket.gcr.io": {},
		"https://eu.gcr.io": {},
		"https://gcr.io": {},
		"https://index.docker.io/v1/": {},
		"https://us.gcr.io": {}
	},
	"credsStore": "wincred"
}

So index.docker.io/v1/ was added, but also does not work.

I am assuming Docker uses Windows based credential storage in this case? Can you help me troubleshoot this further - i.e. is there any way in which I can check if the data there is stored and it is correct?

friism · May 24, 2016, 11:45pm

It looks like there’s a mismatch between your username and the docker hub account you’re pushing too, eg. wojciechka vs. wojciechka1.

I tried using the wincred helper too with Docker for Windows, and it worked fine for me pushing to Docker Hub.

One further troubleshooting idea would be to remove the wincred helper (this will temporarily cause your passwords to be stored in cleartext in the config file), log in again and see what happens.

ankon · May 27, 2016, 12:35pm

(Coming from the beta support ticket #15421)

I’m having the (presumably) same issue with AWS ECR.

config.json has:

{
	"auths": {
		"https://MY-REPO-ID.dkr.ecr.eu-west-1.amazonaws.com": {}
	},
	"credsStore": "wincred"
}

Changing the references in my docker-compose.yml to use image/tag instead of image:tag did not work, the error message changed to indicate that that format is clearly wrong.

Removing the wincred helper (i.e. changing the config to be just:

{
	"auths": {
		"https://MY-REPO-ID.dkr.ecr.eu-west-1.amazonaws.com": {}
	}
}

) worked! After re-executing the docker login command I see some credentials in the “auths” section, and I can use docker pull to pull the image.

(Edit: formatting)

friism · May 27, 2016, 3:20pm

Thanks for the update. Can you confirm that only the combination of Docker for Windows and wincred credential helper doesn’t work? (I.e. it works with Docker Toolbox, for example)

wojciechka · May 29, 2016, 11:07am

@friism, you are right about docker push to DockerHub.

After rebuilding as wojciechka/helloworld1, I can successfully push it. Without any other changes in Docker configuration or anything.

However, pull gcr.io did not work - at least as long as "credsStore": "wincred" was set. Even if I used an image without specific version tag, it still was reporting an error.

After removing the credsStore from config.json and doing gcloud docker -a (which under the hood calls docker login), docker pull was finally working.

Now I can move on to further testing of the beta on Windows.

Thanks a lot for your help!

friism · June 1, 2016, 5:37pm

It turns out that this is known problem with the credential helpers: https://github.com/docker/docker/issues/22910

vladkras · June 25, 2018, 1:12pm

My problem was solved with proper role of service account where I got the json key, Since Container Registry uses Cloud Storage I had to give this account Storage Admin role first.

docs: https://cloud.google.com/container-registry/docs/access-control#permissions_and_roles

Topic		Replies	Views
Cannot push image to repository in Google Container Engine Docker Desktop	1	5115	May 20, 2016
Docker pull from AWS registry fails Docker Desktop windows	3	5283	August 28, 2016
Pull access denied error General docker	3	1242	October 7, 2021
Access denied when pulling public GitHub package Docker Desktop docker , windows	2	3137	November 9, 2022
Error pulling from private repo Docker Desktop macos	0	642	June 8, 2018

[solved] Unable to docker pull from private gcr repo

Related topics