I am having some issues with setting up private image pulls from a GCP Registry. I am attempting to use a Service Account in GCP to set this up. Essentially, I have performed the following steps:
Created a json key file with the correct permissions in my GCP project that houses my container images.
Downloaded my key file and ran the following command against the key file: cat account.json | docker login -u _json_key --password-stdin https://gcr.io
Confirmed that once the docker login succeeded that I could pull images from that registry
At this point I logged into Drone and added a secret named dockerconfig with the contents of my /.docker/config.json from the previous steps. I then setup a pipeline that looks something like this:
# Pipeline One #
- name: Step-that-matters
#END OF PIPELINE ONE
# START OF SECOND PIPELINE
# Pipeline two #
However, every time this pipeline reaches the step where it needs to download the private image I receive the following error:
<pipeline-name>: Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
I have triple checked my permissions at this point although this was confirmed in Step 3 from above. Is there something else I am missing or some formatting issue I have?
Let me know if you need any additional info and thank you!!
Just to add to this – I tried a few more things without any luck. The first one was I changed the format of my dockerconfigjson secret entry to look like this (I didn’t expect this to work but tried it anyways):
Next, I tried to remove my second pipeline in case that was causing some issues. Finally, I added a tag on the image pull so it looked something like this image: gcr.io/foo-project/blah-image:latest but unfortunately still had no luck.
These were all complete shots in the dark but thought I would add some more information for things I have tried.
Disregard the above. I found the issue. This was stated in the document here I just completely missed it. I needed to add the Allow Pull Requests option on my secret. Whats interesting is I know I have not added that to my secret in the past and it has worked. Regardless, the issue is resolved.