Skip to main content

Troubleshooting Container Registry service

This document describes how to resolve issues related to the Container Registry service.


Docker login failure error

When logging into Docker using an issued access key ID and secret access key, the following error may appear instead of Login Succeeded.

Get "RepositoryURI": unauthorized: login failed

Error message
Error response from daemon: Get "${repository_uri}": unauthorized: login failed

This error occurs if the access key ID or secret access key was entered incorrectly or has expired.

▶️ Solution: Check whether the access key ID and secret access key were entered correctly. If the keys have expired, issue a new set and try logging in again.
For more information, refer to the Access key issuance guide.


Get "RepositoryURI": net/http: request canceled while waiting for connection

Error message
Error response from daemon: Get "${repository_uri}": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

This error can occur when the domain query cannot be resolved properly in the current environment.

▶️ Solution: Ensure the query to ${repository_uri} executes correctly. Follow the steps below:

  1. From the error message, isolate the domain (hostname) portion of ${repository_uri} and test it separately.
    For example, if ${repository_uri} is https://myproject.kr-central-2.kcr.dev/myrepo/, test only myproject.kr-central-2.kcr.dev.

    # Command
    nslookup ${repository_uri_domain}

    # Sample output
    ;; communications error to ${dns_server_ip}#53: timed out
  2. This may indicate an issue with the DNS server used for the query.
    If you're using a custom DNS server, you may need to reconfigure it.
    If reconfiguration is difficult, consider switching to an external DNS server (ensure no other conflicts arise from this change).


Image pull error

failed to resolve reference "ImageURI": failed to do request: Head Image

When pulling images in a Kubernetes Engine cluster environment, the following error may appear:

Error message
failed to resolve reference "${image_uri}": failed to do request: Head "${image_manifest_uri}": dial tcp 61.109.235.253:443: connect: network is unreachable

The Container Registry service is only supported in environments with internet access.
This error indicates that the image download environment does not have external network access to the Container Registry.

▶️ Solution: If you need to pull images from a private environment, configure external access using a NAT instance.


Image push error

denied: requested access to the resource is denied

This error may occur when pushing an image to a repository:

Error message
denied: requested access to the resource is denied

There are several possible causes for this error:

1. The user only has repository viewer permissions

The repository viewer role allows only image pull actions, not push.

▶️ Solution: Change the repository to public or grant the user repository member permissions.
Refer to Access permissions guide for more details.

2. The user has Project Reader permissions

Project Readers can only pull images and cannot push.

▶️ Solution: Since you cannot assign repository member permissions to a Project Reader, consider changing the user's IAM role.
The user can be granted member permissions in other projects but not in the current one if they are a reader.

3. The repository is private

In a private repository, users not belonging to the project or anonymous users cannot push images.

▶️ Solution: Assign the necessary user as a repository member to grant access.
For steps to add a repository member, refer to Configure repository permission.


Permission setting error: "Failed to change permissions" message

You may see the message “Failed to change permissions” when adding a user during permission configuration.

▶️ Solution: This is expected behavior when the user is already part of the project.

Users with project admin or project member roles are automatically granted Container Registry admin permissions.
However, Project Readers are treated as basic IAM users with read-only access and cannot be granted additional permissions.