将Docker映像推送到Google Containerregistry时,导致身份validation错误的原因是什么?

我正在尝试按照他们的指示将Docker镜像从CircleCI构build推送到Google Container Registry。 但是,由于明显的authentication错误,推送到GCR失败:

Using 'push eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test' for DOCKER_ARGS. The push refers to a repository [eu.gcr.io/realtimemusic-147914/realtimemusic-test/realtimemusic-test] (len: 1) Post https://eu.gcr.io/v2/realtimemusic-147914/realtimemusic-test/realtimemusic-test/blobs/uploads/: token auth attempt for registry: https://eu.gcr.io/v2/token?account=oauth2accesstoken&scope=repository%3Arealtimemusic-147914%2Frealtimemusic-test%2Frealtimemusic-test%3Apush%2Cpull&service=eu.gcr.io request failed with status: 403 Forbidden 

我之前推动Docker镜像对Google云服务帐户进行身份validation:

 echo $GCLOUD_KEY | base64 --decode > ${HOME}/client-secret.json gcloud auth activate-service-account --key-file ${HOME}/client-secret.json gcloud config set project $GCLOUD_PROJECT_ID 

然后,我build立图像,并将其推送到GCR:

 docker build -t $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test -f docker/test/Dockerfile . gcloud docker push -- $EXTERNAL_REGISTRY_ENDPOINT/realtimemusic-test 

我在这里做错了什么?

您是否尝试过使用_json_key方法进行Docker身份validation? https://cloud.google.com/container-registry/docs/advanced-authentication

之后,请使用裸体“docker工”(不含'gcloud')。

服务帐户需要写入包含容器registry的云存储桶的权限。 授予服务帐户项目编辑者angular色或写入存储区(通过ACL)解决了这个问题。 后者应该是可取的,因为账户没有得到比需要更多的权限。