Issues with Private GCP Container Registry

Hello –

I am having some issues with setting up private image pulls from a GCP Registry. I am attempting to use a Service Account in GCP to set this up. Essentially, I have performed the following steps:

1. Created a json key file with the correct permissions in my GCP project that houses my container images.
2. Downloaded my key file and ran the following command against the key file:
   cat account.json | docker login -u _json_key --password-stdin https://gcr.io
3. Confirmed that once the docker login succeeded that I could pull images from that registry

At this point I logged into Drone and added a secret named dockerconfig with the contents of my /.docker/config.json from the previous steps. I then setup a pipeline that looks something like this:

#---------------#
#  Pipeline One #
#---------------#
kind: pipeline
type: docker
name: pipeline-1

environment:
  SOME_VARIABLES: blah

steps:
...
- name: Step-that-matters
  image: gcr.io/<my-project>/<my-image>
...

image_pull_secrets:
- dockerconfig

trigger:
  event:
  - pull_request

#END OF PIPELINE ONE
---
# START OF SECOND PIPELINE
#---------------#
#  Pipeline two #
#---------------#
kind: pipeline
type: docker
name: pipeline-2

...

trigger:
  branch:
  - master
  event:
  - push

However, every time this pipeline reaches the step where it needs to download the private image I receive the following error:

<pipeline-name>: Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I have triple checked my permissions at this point although this was confirmed in Step 3 from above. Is there something else I am missing or some formatting issue I have?

Let me know if you need any additional info and thank you!!

we have the root cause and solution documented here: https://github.com/drone/drone-runtime/issues/55

Thanks for the follow up. Unfortunately, I never had any entires to https://gcr.io within my config.json to begin with. What I essentially had was something that looked like this:

{
        "auths": {
                "gcr.io": {
                        "auth": "PRIVATE_KEY"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.5 (linux)"
        }
}

I stripped it down to look like this prior to adding it as a secret:

{
        "auths": {
                "gcr.io": {
                        "auth": "PRIVATE_KEY"
                }
        }
}

But still had no luck. I have gotten this to work in the past but I don’t recall doing anything different from what I described above. Is there something else I am missing?

Thanks again for the help!

Just to add to this – I tried a few more things without any luck. The first one was I changed the format of my dockerconfigjson secret entry to look like this (I didn’t expect this to work but tried it anyways):

{
        "auths": {
                "gcr.io": {
                        "auth": "my-key"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.6 (linux)"
        }
}

Next, I tried to remove my second pipeline in case that was causing some issues. Finally, I added a tag on the image pull so it looked something like this image: gcr.io/foo-project/blah-image:latest but unfortunately still had no luck.

These were all complete shots in the dark but thought I would add some more information for things I have tried.

Thanks!

Disregard the above. I found the issue. This was stated in the document here I just completely missed it. I needed to add the Allow Pull Requests option on my secret. Whats interesting is I know I have not added that to my secret in the past and it has worked. Regardless, the issue is resolved.

Thanks for the help again!