Troubleshooting Container Registry service
This document describes how to resolve issues related to the Container Registry service.
Docker login failure error
When logging into Docker using an issued access key ID and secret access key, the following error may appear instead of Login Succeeded
.
Get "RepositoryURI": unauthorized: login failed
Error response from daemon: Get "${repository_uri}": unauthorized: login failed
This error occurs if the access key ID or secret access key was entered incorrectly or has expired.
▶️ Solution: Check whether the access key ID and secret access key were entered correctly. If the keys have expired, issue a new set and try logging in again.
For more information, refer to the Access key issuance guide.
Get "RepositoryURI": net/http: request canceled while waiting for connection
Error response from daemon: Get "${repository_uri}": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
This error can occur when the domain query cannot be resolved properly in the current environment.
▶️ Solution: Ensure the query to ${repository_uri}
executes correctly. Follow the steps below:
-
From the error message, isolate the domain (hostname) portion of
${repository_uri}
and test it separately.
For example, if${repository_uri}
ishttps://myproject.kr-central-2.kcr.dev/myrepo/
, test onlymyproject.kr-central-2.kcr.dev
.# Command
nslookup ${repository_uri_domain}
# Sample output
;; communications error to ${dns_server_ip}#53: timed out -
This may indicate an issue with the DNS server used for the query.
If you're using a custom DNS server, you may need to reconfigure it.
If reconfiguration is difficult, consider switching to an external DNS server (ensure no other conflicts arise from this change).
Image pull error
failed to resolve reference "ImageURI": failed to do request: Head Image
When pulling images in a Kubernetes Engine cluster environment, the following error may appear:
failed to resolve reference "${image_uri}": failed to do request: Head "${image_manifest_uri}": dial tcp 61.109.235.253:443: connect: network is unreachable
The Container Registry service is only supported in environments with internet access.
This error indicates that the image download environment does not have external network access to the Container Registry.
▶️ Solution: If you need to pull images from a private environment, configure external access using a NAT instance.
Image push error
denied: requested access to the resource is denied
This error may occur when pushing an image to a repository:
denied: requested access to the resource is denied
There are several possible causes for this error:
1. The user only has repository viewer permissions
The repository viewer role allows only image pull actions, not push.
▶️ Solution: Change the repository to public or grant the user repository member permissions.
Refer to Access permissions guide for more details.
2. The user has Project Reader permissions
Project Readers can only pull images and cannot push.
▶️ Solution: Since you cannot assign repository member permissions to a Project Reader, consider changing the user's IAM role.
The user can be granted member permissions in other projects but not in the current one if they are a reader.
3. The repository is private
In a private repository, users not belonging to the project or anonymous users cannot push images.
▶️ Solution: Assign the necessary user as a repository member to grant access.
For steps to add a repository member, refer to Configure repository permission.
Permission setting error: "Failed to change permissions" message
You may see the message “Failed to change permissions” when adding a user during permission configuration.
▶️ Solution: This is expected behavior when the user is already part of the project.
Users with project admin or project member roles are automatically granted Container Registry admin permissions.
However, Project Readers are treated as basic IAM users with read-only access and cannot be granted additional permissions.