GCP Service account and GCR Permissions

This story is part of another story with instructions to automate publishing/pushing images to GCR (Google Container Registry). I decided to break my original story to smaller chunks to make it readable and easy to follow.

Let’s get to work … Please see below instructions to create GCP service account and granting service account admin role to GCR bucket and also how to download the JSON key of your service account for authentication.

I assume that you have a Google Cloud Console account and a project created. I have also included instructions on how to push image manually thru a command, if you have not already pushed one.

Logon to your Google Cloud Console and scroll down to the bottom of the menu to spot your Container Registry. Finish the set up (self explanatory).

GCR registry url format is as follows : https://gcr.io/project_name, where project_name is the GCP project name. This is standard for all projects.

On the side bar, click on “IAM & Admin -> service accounts”. Click on the “+ Create Service Account” button on the top to create new account.

Step 1:

Enter the service account name (I call it Jenkins) and description is optional. Click Create button.

Step 2:

Leave the permissions empty (optional). Click Continue.

Step 3:

Leave all the fields empty and click on Create Key button and choose JSON as key type and Click on create button to download key file to your machine.

Once you have the file ready, we need to grant the account access to the registry thru Storage Bucket.

Storage Bucket

On the side bar, click on Storage menu -> Browser. You should see an existing bucket. If not, you should push at least 1 image to your project registry as the bucket is created only if there is at least one image exists.

Pushing Images Manually to GCR

I assume that you have a project ready with a DockerFile to build an image to push.

docker build -t gcr.io/projectName/imageName:version -f Dockerfile .
docker push  gcr.io/projectName/imageName:version

The first time you try to push, you may not succeed and might run into 2 issues.

1. Enable Google Container Registry API.

Token exchange failed for project ‘my_project’. Please enable Google Container Registry API in Cloud Console at https://console.cloud.google.com/apis/api/containerregistry.googleapis.com/overview?project=my_project before performing this operation.

To solve this problem, click on the side bar and choose “API & Services”. Search for Google Container Registry API in the search bar and enable.

2. Authentication — I will say this is a temporary problem, as the whole point of doing this exercise is to come up with a service account authentication whic is long term and reliable.

denied: Token exchange failed for project ‘my_project’. Caller does not have permission ‘storage.buckets.create’. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control

Execute the below command for the first time only. It will obtain a short lived token for successful authentication.

gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin https://gcr.io

Try the push command again and it should go thru.

Storage Bucket..cont’d…

Now you should see a bucket listed as shown in the image.

Click on the bucket and go to permissions tab. Click on Add members and grant the service account storage admin access.

Good Luck !!