docker push to gcr.io fails with “denied: Token exchange failed for project”











up vote
0
down vote

favorite












I've discovered a flow that works through GCP console but not through the gcloud CLI.



Minimal Repro



The following bash snippet creates a fresh GCP project and attempts to push an image to gcr.io, but fails with "access denied" even though the user is project owner:



gcloud auth login



PROJECT_ID="example-project-20181120"

gcloud projects create "$PROJECT_ID" --set-as-default

gcloud services enable containerregistry.googleapis.com

gcloud auth configure-docker --quiet



mkdir ~/docker-source && cd ~/docker-source

git clone https://github.com/mtlynch/docker-flask-upload-demo.git .



LOCAL_IMAGE_NAME="flask-demo-app"

GCR_IMAGE_PATH="gcr.io/${PROJECT_ID}/flask-demo-app"

docker build --tag "$LOCAL_IMAGE_NAME" .

docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH"

docker push "$GCR_IMAGE_PATH"


Result



The push refers to repository [gcr.io/example-project-20181120/flask-demo-app]

02205dbcdc63: Preparing

06ade19a43a0: Preparing

38d9ac54a7b9: Preparing

f83363c693c0: Preparing

b0d071df1063: Preparing

90d1009ce6fe: Waiting

denied: Token exchange failed for project 'example-project-20181120'. Access denied.


The system is Ubuntu 16.04 with the latest version of gcloud 225.0.0, as of this writing. The account I auth'ed with has role roles/owner.



Inconsistency with GCP Console



I notice that if I follow the same flow through GCP Console, I can docker push successfully:




  1. Create a new GCP project via GCP Console

  2. Create a service account with roles/owner via GCP Console

  3. Download JSON key for service account

  4. Enable container registry API via GCP Console

  5. gcloud auth activate-service-account --key-file key.json

  6. gcloud config set project $PROJECT_ID

  7. gcloud auth configure-docker --quiet

  8. docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH" && docker push "$GCR_IMAGE_PATH"


Result: Works as expected. Successfully pushes docker image to gcr.io.



Other attempts



I also tried using gcloud auth login as my @gmail.com account, then using that account to create a service account with gcloud, but that gets the same denied error:



SERVICE_ACCOUNT_NAME=test-service-account

gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"

KEY_FILE="${HOME}/key.json"

gcloud iam service-accounts keys create "$KEY_FILE" 

  --iam-account "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

gcloud projects add-iam-policy-binding "$PROJECT_ID" 

  --member "serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" 

  --role roles/owner

gcloud auth activate-service-account --key-file="${HOME}/key.json"



docker push "$GCR_IMAGE_PATH"


Result: denied: Token exchange failed for project 'example-project-20181120'. Access denied.






docker google-cloud-platform gcloud







share|improve this question




























    up vote
    0
    down vote

    favorite












    I've discovered a flow that works through GCP console but not through the gcloud CLI.



    Minimal Repro



    The following bash snippet creates a fresh GCP project and attempts to push an image to gcr.io, but fails with "access denied" even though the user is project owner:



    gcloud auth login
    

    
PROJECT_ID="example-project-20181120"
    
gcloud projects create "$PROJECT_ID" --set-as-default
    
gcloud services enable containerregistry.googleapis.com
    
gcloud auth configure-docker --quiet
    

    
mkdir ~/docker-source && cd ~/docker-source
    
git clone https://github.com/mtlynch/docker-flask-upload-demo.git .
    

    
LOCAL_IMAGE_NAME="flask-demo-app"
    
GCR_IMAGE_PATH="gcr.io/${PROJECT_ID}/flask-demo-app"
    
docker build --tag "$LOCAL_IMAGE_NAME" .
    
docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH"
    
docker push "$GCR_IMAGE_PATH"


    Result



    The push refers to repository [gcr.io/example-project-20181120/flask-demo-app]
    
02205dbcdc63: Preparing
    
06ade19a43a0: Preparing
    
38d9ac54a7b9: Preparing
    
f83363c693c0: Preparing
    
b0d071df1063: Preparing
    
90d1009ce6fe: Waiting
    
denied: Token exchange failed for project 'example-project-20181120'. Access denied.


    The system is Ubuntu 16.04 with the latest version of gcloud 225.0.0, as of this writing. The account I auth'ed with has role roles/owner.



    Inconsistency with GCP Console



    I notice that if I follow the same flow through GCP Console, I can docker push successfully:




    1. Create a new GCP project via GCP Console

    2. Create a service account with roles/owner via GCP Console

    3. Download JSON key for service account

    4. Enable container registry API via GCP Console

    5. gcloud auth activate-service-account --key-file key.json

    6. gcloud config set project $PROJECT_ID

    7. gcloud auth configure-docker --quiet

    8. docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH" && docker push "$GCR_IMAGE_PATH"


    Result: Works as expected. Successfully pushes docker image to gcr.io.



    Other attempts



    I also tried using gcloud auth login as my @gmail.com account, then using that account to create a service account with gcloud, but that gets the same denied error:



    SERVICE_ACCOUNT_NAME=test-service-account
    
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"
    
KEY_FILE="${HOME}/key.json"
    
gcloud iam service-accounts keys create "$KEY_FILE" 
    
  --iam-account "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
    
gcloud projects add-iam-policy-binding "$PROJECT_ID" 
    
  --member "serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" 
    
  --role roles/owner
    
gcloud auth activate-service-account --key-file="${HOME}/key.json"
    

    
docker push "$GCR_IMAGE_PATH"


    Result: denied: Token exchange failed for project 'example-project-20181120'. Access denied.






    docker google-cloud-platform gcloud







    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I've discovered a flow that works through GCP console but not through the gcloud CLI.



      Minimal Repro



      The following bash snippet creates a fresh GCP project and attempts to push an image to gcr.io, but fails with "access denied" even though the user is project owner:



      gcloud auth login
      

      
PROJECT_ID="example-project-20181120"
      
gcloud projects create "$PROJECT_ID" --set-as-default
      
gcloud services enable containerregistry.googleapis.com
      
gcloud auth configure-docker --quiet
      

      
mkdir ~/docker-source && cd ~/docker-source
      
git clone https://github.com/mtlynch/docker-flask-upload-demo.git .
      

      
LOCAL_IMAGE_NAME="flask-demo-app"
      
GCR_IMAGE_PATH="gcr.io/${PROJECT_ID}/flask-demo-app"
      
docker build --tag "$LOCAL_IMAGE_NAME" .
      
docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH"
      
docker push "$GCR_IMAGE_PATH"


      Result



      The push refers to repository [gcr.io/example-project-20181120/flask-demo-app]
      
02205dbcdc63: Preparing
      
06ade19a43a0: Preparing
      
38d9ac54a7b9: Preparing
      
f83363c693c0: Preparing
      
b0d071df1063: Preparing
      
90d1009ce6fe: Waiting
      
denied: Token exchange failed for project 'example-project-20181120'. Access denied.


      The system is Ubuntu 16.04 with the latest version of gcloud 225.0.0, as of this writing. The account I auth'ed with has role roles/owner.



      Inconsistency with GCP Console



      I notice that if I follow the same flow through GCP Console, I can docker push successfully:




      1. Create a new GCP project via GCP Console

      2. Create a service account with roles/owner via GCP Console

      3. Download JSON key for service account

      4. Enable container registry API via GCP Console

      5. gcloud auth activate-service-account --key-file key.json

      6. gcloud config set project $PROJECT_ID

      7. gcloud auth configure-docker --quiet

      8. docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH" && docker push "$GCR_IMAGE_PATH"


      Result: Works as expected. Successfully pushes docker image to gcr.io.



      Other attempts



      I also tried using gcloud auth login as my @gmail.com account, then using that account to create a service account with gcloud, but that gets the same denied error:



      SERVICE_ACCOUNT_NAME=test-service-account
      
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"
      
KEY_FILE="${HOME}/key.json"
      
gcloud iam service-accounts keys create "$KEY_FILE" 
      
  --iam-account "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
      
gcloud projects add-iam-policy-binding "$PROJECT_ID" 
      
  --member "serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" 
      
  --role roles/owner
      
gcloud auth activate-service-account --key-file="${HOME}/key.json"
      

      
docker push "$GCR_IMAGE_PATH"


      Result: denied: Token exchange failed for project 'example-project-20181120'. Access denied.






      docker google-cloud-platform gcloud







      share|improve this question















      I've discovered a flow that works through GCP console but not through the gcloud CLI.



      Minimal Repro



      The following bash snippet creates a fresh GCP project and attempts to push an image to gcr.io, but fails with "access denied" even though the user is project owner:



      gcloud auth login
      

      
PROJECT_ID="example-project-20181120"
      
gcloud projects create "$PROJECT_ID" --set-as-default
      
gcloud services enable containerregistry.googleapis.com
      
gcloud auth configure-docker --quiet
      

      
mkdir ~/docker-source && cd ~/docker-source
      
git clone https://github.com/mtlynch/docker-flask-upload-demo.git .
      

      
LOCAL_IMAGE_NAME="flask-demo-app"
      
GCR_IMAGE_PATH="gcr.io/${PROJECT_ID}/flask-demo-app"
      
docker build --tag "$LOCAL_IMAGE_NAME" .
      
docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH"
      
docker push "$GCR_IMAGE_PATH"


      Result



      The push refers to repository [gcr.io/example-project-20181120/flask-demo-app]
      
02205dbcdc63: Preparing
      
06ade19a43a0: Preparing
      
38d9ac54a7b9: Preparing
      
f83363c693c0: Preparing
      
b0d071df1063: Preparing
      
90d1009ce6fe: Waiting
      
denied: Token exchange failed for project 'example-project-20181120'. Access denied.


      The system is Ubuntu 16.04 with the latest version of gcloud 225.0.0, as of this writing. The account I auth'ed with has role roles/owner.



      Inconsistency with GCP Console



      I notice that if I follow the same flow through GCP Console, I can docker push successfully:




      1. Create a new GCP project via GCP Console

      2. Create a service account with roles/owner via GCP Console

      3. Download JSON key for service account

      4. Enable container registry API via GCP Console

      5. gcloud auth activate-service-account --key-file key.json

      6. gcloud config set project $PROJECT_ID

      7. gcloud auth configure-docker --quiet

      8. docker tag "$LOCAL_IMAGE_NAME" "$GCR_IMAGE_PATH" && docker push "$GCR_IMAGE_PATH"


      Result: Works as expected. Successfully pushes docker image to gcr.io.



      Other attempts



      I also tried using gcloud auth login as my @gmail.com account, then using that account to create a service account with gcloud, but that gets the same denied error:



      SERVICE_ACCOUNT_NAME=test-service-account
      
gcloud iam service-accounts create "$SERVICE_ACCOUNT_NAME"
      
KEY_FILE="${HOME}/key.json"
      
gcloud iam service-accounts keys create "$KEY_FILE" 
      
  --iam-account "${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
      
gcloud projects add-iam-policy-binding "$PROJECT_ID" 
      
  --member "serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" 
      
  --role roles/owner
      
gcloud auth activate-service-account --key-file="${HOME}/key.json"
      

      
docker push "$GCR_IMAGE_PATH"


      Result: denied: Token exchange failed for project 'example-project-20181120'. Access denied.






      docker google-cloud-platform gcloud




      docker google-cloud-platform gcloud






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 2 days ago

























      asked 2 days ago









      mtlynch

      2,23531612




      2,23531612
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I tried to reproduce the same error using bash snippet you provided, however it successfully built the ‘flask-demo-app’ container registry image for me. I used below steps to reproduce the issue:



          Step 1: Use account which have ‘role: roles/owner’ and ‘role: roles/editor’



          Step 2: Created bash script using your given snippet



          Step 3: Added ‘gcloud auth activate-service-account --key-file skey.json’ in script to authenticate the account



          Step 4: Run the bash script



          Result : It created the ‘flask-demo-app’ container registry image



          This leads me to believe that there might be an issue with your environment which is causing this error for you. To troubleshoot this you could try running your code on a different machine, a different network or even on the Cloud Shell.






          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














             

            draft saved


            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53410165%2fdocker-push-to-gcr-io-fails-with-denied-token-exchange-failed-for-project%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            0
            down vote













            I tried to reproduce the same error using bash snippet you provided, however it successfully built the ‘flask-demo-app’ container registry image for me. I used below steps to reproduce the issue:



            Step 1: Use account which have ‘role: roles/owner’ and ‘role: roles/editor’



            Step 2: Created bash script using your given snippet



            Step 3: Added ‘gcloud auth activate-service-account --key-file skey.json’ in script to authenticate the account



            Step 4: Run the bash script



            Result : It created the ‘flask-demo-app’ container registry image



            This leads me to believe that there might be an issue with your environment which is causing this error for you. To troubleshoot this you could try running your code on a different machine, a different network or even on the Cloud Shell.






            share|improve this answer

























              up vote
              0
              down vote













              I tried to reproduce the same error using bash snippet you provided, however it successfully built the ‘flask-demo-app’ container registry image for me. I used below steps to reproduce the issue:



              Step 1: Use account which have ‘role: roles/owner’ and ‘role: roles/editor’



              Step 2: Created bash script using your given snippet



              Step 3: Added ‘gcloud auth activate-service-account --key-file skey.json’ in script to authenticate the account



              Step 4: Run the bash script



              Result : It created the ‘flask-demo-app’ container registry image



              This leads me to believe that there might be an issue with your environment which is causing this error for you. To troubleshoot this you could try running your code on a different machine, a different network or even on the Cloud Shell.






              share|improve this answer























                up vote
                0
                down vote










                up vote
                0
                down vote









                I tried to reproduce the same error using bash snippet you provided, however it successfully built the ‘flask-demo-app’ container registry image for me. I used below steps to reproduce the issue:



                Step 1: Use account which have ‘role: roles/owner’ and ‘role: roles/editor’



                Step 2: Created bash script using your given snippet



                Step 3: Added ‘gcloud auth activate-service-account --key-file skey.json’ in script to authenticate the account



                Step 4: Run the bash script



                Result : It created the ‘flask-demo-app’ container registry image



                This leads me to believe that there might be an issue with your environment which is causing this error for you. To troubleshoot this you could try running your code on a different machine, a different network or even on the Cloud Shell.






                share|improve this answer












                I tried to reproduce the same error using bash snippet you provided, however it successfully built the ‘flask-demo-app’ container registry image for me. I used below steps to reproduce the issue:



                Step 1: Use account which have ‘role: roles/owner’ and ‘role: roles/editor’



                Step 2: Created bash script using your given snippet



                Step 3: Added ‘gcloud auth activate-service-account --key-file skey.json’ in script to authenticate the account



                Step 4: Run the bash script



                Result : It created the ‘flask-demo-app’ container registry image



                This leads me to believe that there might be an issue with your environment which is causing this error for you. To troubleshoot this you could try running your code on a different machine, a different network or even on the Cloud Shell.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 7 hours ago









                Amit S

                234




                234






























                     

                    draft saved


                    draft discarded



















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53410165%2fdocker-push-to-gcr-io-fails-with-denied-token-exchange-failed-for-project%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Contact image not getting when fetch all contact list from iPhone by CNContact

                    Image
                    up vote 0 down vote favorite I know this question already asked but not getting solution. From this code I will get all the information from the contact but image not found when open vcf files on mac os, also not getting when share this file. I use this stackoverflow link here but It's not help full. var contacts = [CNContact]() let keys = [CNContactVCardSerialization.descriptorForRequiredKeys() ] as [Any] let request = CNContactFetchRequest(keysToFetch: keys as! [CNKeyDescriptor]) do { try self.contactStore.enumerateContacts(with: request) { (contact, stop) in // Array containing all unified contacts from everywhere contacts.append(contact) } } catch { print("unable to fetch contacts") } do { let data = try
                    Read more

                    count number of partitions of a set with n elements into k subsets

                    Image
                    up vote 6 down vote favorite 1 This program is for count number of partitions of a set with n elements into k subsets I am confusing here return k*countP(n-1, k) + countP(n-1, k-1); can some one explain what is happening here? why we are multiplying with k? NOTE->I know this is not the best way to calculate number of partitions that would be DP // A C++ program to count number of partitions // of a set with n elements into k subsets #include<iostream> using namespace std; // Returns count of different partitions of n // elements in k subsets int countP(int n, int k) { // Base cases if (n == 0 || k == 0 || k > n) return 0; if (k == 1 || k == n) return 1; // S(n+1, k) = k*S(n, k) + S(n, k-1) return k*countP(n-1, k) + countP(n-1, k-1); } // Driver program int ma
                    Read more

                    A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

                    Image
                    0 I found a lot of questions abount appendices and ToC. Many users want appendices to be grouped in an Appendix part, however some problems arise with ToC, hyperref, PDF viewer bookmarks, and so on. There are different solutions which require extra packages, command patching and other extra code, however none of them satisfies me. I almost found an easy way to accomplish a good result, where appendices are added to bookmarks in the right way and hyperref links point to the right page. However, the number of the "Appendix" part page is wrong (it's the number of appendix A). Is there any EASY way to fix that? This is a MWE: documentclass{book} usepackage[nottoc,notlot,notlof]{tocbibind} usepackage{hyperref} begin{document} frontmatter tableofcontents mainmatter part{First} chapter{
                    Read more