无法将docker镜像推送到GCP注册表：拒绝：项目的令牌交换失败 <my_project_id> 拒绝访问

Question

While trying to push a docker image on Google Cloud Registry using Google cloud cli, i am getting an error :

denied: Token exchange failed for project . Access denied.

I have followed the below steps :

1. Installed Google cloud sdk shell
2. Downloaded a key json file for my IM account
3. Set authentication using following command :

google-cloud-sdk/bin/gcloud auth activate-service-account --key-file <path_to_json_file>

4. Executed below command for login:

docker login -u _json_key --password-stdin https://asia.gcr.io < path_to_json_file

5. Built and tagged a docker image.

6. Tried pushing an image to GCR using following command :

docker push "asia.gcr.io/$GCLOUD_PROJECT_ID/$IMAGE_NAME:latest"

I am getting result as follows:

The push refers to repository [asia.gcr.io/<my_project_id>/<my_image_name>]
1bd77e11e1bf: Preparing
b57c79f4a9f3: Preparing
d60e01b37e74: Preparing
e45cfbc98a50: Preparing
762d8e1a6054: Preparing

denied: Token exchange failed for project <my_project_id>. Access denied.

Note : 1. My GCR API is already enabled.

2. Docker version I am using is 'Docker version 18.09.2, build 6247962'

3. I am using windows machine where Google cloud CLI is installed. So all the operations are being performed from Widows only.

4. Same thing I have tried on Gitlab image 'Docker:latest' in my Gitlab pipeline. Error is same at both places (My local Windows machine and Gitlab Pipeline)

Answer 1

You don't need step #3 because you're authenticating Docker (not gcloud) to use the service account's credentials.

It works for me on a Linux (Cloud Shell) instance; I assume GitLab uses Linux. I've not tried from a Windows machine.

I recommend you check that you're referring to the correct service account, key, project etc. As is mentioned in the comments, the service account needs >= roles/storage.admin