Permission issues while docker push

Google cloud services have specific information how to grant permissions for docker push, this is the first thing you should have a look I think, https://cloud.google.com/container-registry/docs/access-control

After checking that you have sufficient permissions you should proceed with authentication with something like:

gcloud auth configure-docker

See more here: https://cloud.google.com/container-registry/docs/pushing-and-pulling

Windows / Powershell

I got this error on Windows when I was trying to run docker push from a normal powershell window after authenticating in the google cloud shell that had opened when I installed the SDK.

The solution was simple:

Start a new powershell window to run docker push after running the gcloud auth configure-docker command.

Make sure you've activated the registry too:

gcloud services enable containerregistry.googleapis.com

Also Google has a tendency to jump to a default account (maybe your personal gmail) which may or may not be the one you want (your business email). Make sure if you're opening any links in a browser that you're in the correct Google account.

I'm not exactly sure what's going on yet because I'm brand new to docker, but something got refreshed when starting a new Powershell instance.

In order to be able to push images to the private registry you need two things: API Access Scopes and Authenticate your VM with the registry.

For the API Access Scopes (https://cloud.google.com/container-registry/docs/using-with-google-cloud-platform) we can read in the official documentation:

For GKE:

By default, new Google Kubernetes Engine clusters are created with read-only permissions for Storage buckets. To set the read-write storage scope when creating a Google Kubernetes Engine cluster, use the --scopes option.

For GCE:

By default, a Compute Engine VM has the read-only access scope configured for storage buckets. To push private Docker images, your instance must have read-write storage access scope configured as described in Access scopes.

So first, verify if your GKE cluster or GCE instance actually has the proper scopes set.

The next is to authenticate to the registry:

a) If you are using a Linux based image, you need to use "gcloud auth configure-docker" (https://cloud.google.com/container-registry/docs/advanced-authentication).

b) For Container-Optimized OS (COS), the command is “docker-credential-gcr configure-docker” (https://cloud.google.com/container-optimized-os/docs/how-to/run-container-instance#accessing_private_google_container_registry)

If you are running docker as root (i.e. with sudo docker), then make sure to configure the authentication as root. You can run for example:

sudo -s
gcloud auth login
gcloud auth configure-docker

...that will create (or update) a file under /root/.docker/config.json.

(Are there any security implications of gcloud auth login as root? Let me know in the comments.)