Can't push image to google container registry - Caller does not have permission 'storage.buckets.get'
In the past I had another service account with same name and different permissions. After discovering that service account names are cached, I created a new service account with different name and it's pushing properly.
For anyone reading all the way here. The other suggestions here did not help me, however I found that the Cloud Service Build Account role was also required. Then the storage.buckets.get
dissappears.
This is my minimal role (2) setup to push docker images:
The Cloud Service Build Account role however adds many more permissions that simply storage.buckets.get
. The exact permissions can be found here.
note: I am well aware the Cloud Service Build Account role also adds the storage.objects.get
permission. However, adding roles/storage.objectViewer
did not resolve my problem. Regardless of the fact it had the storage.objects.get
permission.
If the above does not work you might have the wrong account active. This can be resolved with:
gcloud auth activate-service-account --key-file key.json
If that does not work you might need to set the docker credential helpers with:
gcloud auth configure-docker --project <project_name>
On one final note. There seemed to be some delay between setting a role and it working via the gcloud
tool. This was however minimal, think of a scope less than a minute.
Cheers
for anyone else coming across this, my issue was that I had not granted my service account Storage legacy bucket reader
. I'd only granted it Object viewer
. Adding that legacy permission fixed it.
It seems docker is still using a legacy method to access GCR