[solved] Unable to docker pull from private gcr repo

I have been using Docker for quite some while on Linux and I have been using gcr.io private repositories for pre-building certain images periodically. I am now testing moving my development environment to Windows.

It seems Docker for Windows cannot log in to gcr using gcloud tools. Using the tools:

C> gcloud docker -a
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Warning: ‘–email’ is deprecated, it will be removed soon. See usage.
Login Succeeded
Short-lived access for [‘gcr.io’, ‘us.gcr.io’, ‘eu.gcr.io’, ‘asia.gcr.io’, ‘b.gcr.io’, ‘bucket.gcr.io’, ‘appengine.gcr.io’] configured.

C> docker pull gcr.io/private-repo/private-image
Pulling repository gcr.io/private-repo/private-image
Error: Status 403 trying to pull repository private-repo/private-image: “Unable to access the repository: private-repo/private-imagese verify that it exists and you have permission to access it (no valid credential was supplied).”

I have also tried to manually authenticate - i.e.

C> gcloud auth print-access-token
ya…dA

C> docker login -e account@domain.com -u oauth2accesstoken -p “ya…dA” https://gcr.io
Warning: ‘-e’ is deprecated, it will be removed soon. See usage.
Login Succeeded

C> docker pull gcr.io/private-repo/private-image
Pulling repository gcr.io/private-repo/private-image
Error: Status 403 trying to pull repository private-repo/private-image: “Unable to access the repository: private-repo/private-imagese verify that it exists and you have permission to access it (no valid credential was supplied).”

I have been using the repos and gcloud + docker tools for at least a year on Linux, I have also doublechecked all the account names. I am 100% sure that what I am doing is correct.

Obviously my account and repository information was removed from snippets.

Is there any way in which I can check if the credentials are properly stored? I already found out I cannot SSH to the VM in Hyper-V. Is there any other way to troubleshoot it?

Same thing here, except I’m trying to push an image.

That’s really strange. Out of curiosity, can you check whether docker login and push to private repo works with Docker Hub?

Cached credentials are stored in $HOME\.docker\config.json

Michael

In my case, changing my tag from a image:version notation to image/version fixed it. Got the idea from https://cloud.google.com/container-registry/docs/pushing#pushing_to_the_registry

In my case the contents is as follows:

{
	"auths": {
		"https://appengine.gcr.io": {},
		"https://asia.gcr.io": {},
		"https://b.gcr.io": {},
		"https://bucket.gcr.io": {},
		"https://eu.gcr.io": {},
		"https://gcr.io": {},
		"https://us.gcr.io": {}
	},
	"credsStore": "wincred"
}

I have also tried to docker login to sign in with DockerHub and then push a sample private repo I’ve created. It also seems to fail:

D:\docker\helloworld1>docker login
Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.
Username (wojciechka):
Password:
Login Succeeded

D:\docker\helloworld1>docker push wojciechka1/helloworld1:latest
The push refers to a repository [docker.io/wojciechka1/helloworld1]
5f70bf18a086: Preparing
a3b5c80a4eba: Preparing
7f18b442972b: Preparing
3ce512daaf78: Preparing
7aae4540b42d: Preparing
unauthorized: authentication required

After docker login the contents of config.json is:

{
	"auths": {
		"https://appengine.gcr.io": {},
		"https://asia.gcr.io": {},
		"https://b.gcr.io": {},
		"https://bucket.gcr.io": {},
		"https://eu.gcr.io": {},
		"https://gcr.io": {},
		"https://index.docker.io/v1/": {},
		"https://us.gcr.io": {}
	},
	"credsStore": "wincred"
}

So index.docker.io/v1/ was added, but also does not work.

I am assuming Docker uses Windows based credential storage in this case? Can you help me troubleshoot this further - i.e. is there any way in which I can check if the data there is stored and it is correct?

It looks like there’s a mismatch between your username and the docker hub account you’re pushing too, eg. wojciechka vs. wojciechka1.

I tried using the wincred helper too with Docker for Windows, and it worked fine for me pushing to Docker Hub.

One further troubleshooting idea would be to remove the wincred helper (this will temporarily cause your passwords to be stored in cleartext in the config file), log in again and see what happens.

(Coming from the beta support ticket #15421)

I’m having the (presumably) same issue with AWS ECR.

config.json has:

{
	"auths": {
		"https://MY-REPO-ID.dkr.ecr.eu-west-1.amazonaws.com": {}
	},
	"credsStore": "wincred"
}

Changing the references in my docker-compose.yml to use image/tag instead of image:tag did not work, the error message changed to indicate that that format is clearly wrong.

Removing the wincred helper (i.e. changing the config to be just:

{
	"auths": {
		"https://MY-REPO-ID.dkr.ecr.eu-west-1.amazonaws.com": {}
	}
}

) worked! After re-executing the docker login command I see some credentials in the “auths” section, and I can use docker pull to pull the image.

(Edit: formatting)

Thanks for the update. Can you confirm that only the combination of Docker for Windows and wincred credential helper doesn’t work? (I.e. it works with Docker Toolbox, for example)

@friism, you are right about docker push to DockerHub.

After rebuilding as wojciechka/helloworld1, I can successfully push it. Without any other changes in Docker configuration or anything.

However, pull gcr.io did not work - at least as long as "credsStore": "wincred" was set. Even if I used an image without specific version tag, it still was reporting an error.

After removing the credsStore from config.json and doing gcloud docker -a (which under the hood calls docker login), docker pull was finally working.

Now I can move on to further testing of the beta on Windows.

Thanks a lot for your help!

It turns out that this is known problem with the credential helpers: https://github.com/docker/docker/issues/22910

My problem was solved with proper role of service account where I got the json key, Since Container Registry uses Cloud Storage I had to give this account Storage Admin role first.

docs: https://cloud.google.com/container-registry/docs/access-control#permissions_and_roles