Can't push image to google container registry - Caller does not have permission 'storage.buckets.get'
In the past I had another service account with same name and different permissions. After discovering that service account names are cached, I created a new service account with different name and it's pushing properly.
For anyone reading all the way here. The other suggestions here did not help me, however I found that the Cloud Service Build Account role was also required. Then the
This is my minimal role (2) setup to push docker images:
The Cloud Service Build Account role however adds many more permissions that simply
storage.buckets.get. The exact permissions can be found here.
note: I am well aware the Cloud Service Build Account role also adds the
storage.objects.get permission. However, adding
roles/storage.objectViewerdid not resolve my problem. Regardless of the fact it had the
If the above does not work you might have the wrong account active. This can be resolved with:
gcloud auth activate-service-account --key-file key.json
If that does not work you might need to set the docker credential helpers with:
gcloud auth configure-docker --project <project_name>
On one final note. There seemed to be some delay between setting a role and it working via the
gcloud tool. This was however minimal, think of a scope less than a minute.
for anyone else coming across this, my issue was that I had not granted my service account
Storage legacy bucket reader. I'd only granted it
Object viewer. Adding that legacy permission fixed it.
It seems docker is still using a legacy method to access GCR