Can auth and pull image locally, but not on dev servers

[esn89]

I am pulling from a private GCR registry which needs to be granted permissions via GCP IAM:

Get authentication token:

// authenticateGcr looks for credentials with Google's FindDefaultCredentials to get a token
func authenticateGcr() (*oauth2.Token, error) {

	var token *oauth2.Token
	ctx_gcp := context.Background()
	scopes := []string{
		"https://www.googleapis.com/auth/cloud-platform",
	}
	credentials, err := google.FindDefaultCredentials(ctx_gcp, scopes...)
	if err != nil {
		return token, fmt.Errorf("authenticateGcr: %w", err)
	} else {
		token, err = credentials.TokenSource.Token()
		if err != nil {
			return token, fmt.Errorf("authenticateGcr: %w", err)
		}
	}
	return token, nil
}

Then use the token and do a pull:

func pullImage(client *docker.Client) error {

	token, err := authenticateGcr()
	if err != nil {
		return fmt.Errorf("pullImage: %w", err)
	}

	err = client.PullImage(docker.PullImageOptions{
		Registry:   "",
		Repository: "gcr.io/private-gcp-project/private/work/image",
		Tag:        "supertag1",
		// let the progress bar library do this, it gets ugly on the CLI
		//OutputStream: os.Stdout,
	}, docker.AuthConfiguration{
		//Username: "oauth2accesstoken",
		//Password: token.AccessToken,
		RegistryToken: token.AccessToken,
	})

	if err != nil {
		return fmt.Errorf("pullImage: %w", err)
	}
	return nil
}

What's fascinating is that on my local machine (OSX), it works fine and I can even exec into the container without issues.

However, when I build for Linux via:

GOOS=linux GOARCH=amd64 go build

And I run it on my Linux servers, I get:

Error: Run: pullImage: API error (404): pull access denied for gcr.io/private-gcp-project/private/work/image, repository does not exist or may require 'docker login': denied: Permission denied for "supertag1" from request "/v2/private-gcp-project/private/work/image/manifests/supertag1". 

I am quite puzzled by this error message. I have done login via gcloud auth print-access-token | docker login -u oauth2accesstoken --password-stdin gcr.io. I wonder if it has anything to do with the v2 versioning?

Here is the ~/.docker/config for both environments:

{
	"credsStore": "desktop",
	"credHelpers": {
		"asia.gcr.io": "gcloud",
		"eu.gcr.io": "gcloud",
		"gcr.io": "gcloud",
		"marketplace.gcr.io": "gcloud",
		"staging-k8s.gcr.io": "gcloud",
		"us.gcr.io": "gcloud"
	},
	"currentContext": "desktop-linux"
}

[fsouza]

Do you not need to set username, password and registry to make it compatible with docker login -u oauth2accesstoken --password-stdin gcr.io? (I see that you commented it in the code, so maybe you tried it already, but I'm curious on what happened in that case)

[Arpit529Srivastava]

@esn89 @fsouza can you please assign this issue to me, I can fix this
Also please add the issue under the label hactoberfest and hactoberfest-accepted

[esn89]

@Arpit529Srivastava thanks for taking initiative. I don't have permissions to assign I believe.

[fsouza]

@Arpit529Srivastava go for it. I believe the hacktoberfest-accepted label needs to be applied to the PR, but please let me know if that's wrong and I can add it

[Arpit529Srivastava]

@fsouza thanks
will make the pr very soon also assign the issue to me please