for gitlab registry buildx --push makes error insufficient_scope: authorization failed, docker push same image works

[iav]

One of my dockerfile can't be pushed to registry.gitlab.com as part of docker buildx build -f test -t registry.gitlab.com/xxxxx --platform amd64 --push . with error

#26 pushing layers
#26 pushing layers 2.5s done
#26 ERROR: server message: insufficient_scope: authorization failed
------
 > exporting to image:
------
failed to solve: rpc error: code = Unknown desc = server message: insufficient_scope: authorization failed

but same image can be pushed if builded to local registry then pushed by docker:
docker push registry.gitlab.com/xxxxxx

same time same computer other (tiny test image) can be successfuly build and pushed to gitlab directly as it should, docker buildx build -f test -t registry.gitlab.com/iav1/musl-builder --platform linux/arm/v7,linux/arm64,amd64 --push .

How to fix that?

$ docker version
Client: Docker Engine - Community
 Version:           19.03.3
 API version:       1.40
 Go version:        go1.12.10
 Git commit:        a872fc2f86
 Built:             Tue Oct  8 01:00:44 2019
 OS/Arch:           linux/amd64
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          19.03.3
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.10
  Git commit:       a872fc2f86
  Built:            Tue Oct  8 00:59:17 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

[tonistiigi]

cc @dmcgowan

[mingzhaochina]

I have the same problem..

[viceice]

same here, see https://github.com/viceice/docker-buildx-tests
but for github registry

[miigotu]

I just got this working, with github actions:

    - name: Prepare
      if: success()
      id: prepare
      run: |
        echo ::set-output name=docker_platforms::linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,linux/386,linux/ppc64le,linux/s390x
        echo ::set-output name=docker_username::miigotu
        echo ::set-output name=docker_image::docker.io/miigotu/sickchill
        echo ::set-output name=version::${GITHUB_REF#refs/*/}
        echo ::set-output name=hash::${GITHUB_SHA}
    - name: Docker Login
      if: success()
      env:
        DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
      run: |
        echo "${DOCKER_PASSWORD}" | docker login --username "${{ steps.prepare.outputs.docker_username }}" --password-stdin docker.io
    - name: Run Buildx (master)
      if: success() && contains(steps.prepare.outputs.version, 'master')
      run: |
        docker buildx build \
          --output type=image,name=${{ steps.prepare.outputs.docker_image }},push=true \
          --platform ${{ steps.prepare.outputs.docker_platforms }} \
          --tag "${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}" \
          --tag "${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.hash }}" \
          --tag "${{ steps.prepare.outputs.docker_image }}:latest" \
          --file Dockerfile .
    - name: Run Buildx (non-master)
      if: success() && !contains(steps.prepare.outputs.version, 'master')
      run: |
        docker buildx build \
          --output type=image,name=${{ steps.prepare.outputs.docker_image }},push=true \
          --platform ${{ steps.prepare.outputs.docker_platforms }} \
          --tag "${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.version }}" \
         --tag "${{ steps.prepare.outputs.docker_image }}:${{ steps.prepare.outputs.hash }}" \
          --file Dockerfile .

https://github.com/SickChill/SickChill/actions/runs/53326996/workflow#L85

Replace the 2 instances where I have docker.io with whatever registry you are using such as registry.gitlab.com or docker.pkg.github.com and it should work for whichever registry.

[miigotu]

@iav You mind adding github and insufficient_scope: authorization failed to the title of this issue so it can be found via google search for github insufficient_scope: authorization failed and gitlab insufficient_scope: authorization failed ?

[erulabs]

Hello!

I ran into this issue using buildx on a system with Ubuntu's snap docker installed. docker login puts credentials in a directory like /home/$USER/snap/docker/471/.docker/config.json - which buildx does not appear to read. Copying that file to the normal /home/$USER/.docker/config.json location allows buildx to authenticate.

[matwey]

Where did /home/$USER/snap/docker/471/.docker/ come from?

[crazy-max]

Seems to be a host misconfiguration issue. Let us know if it still happens.

[itkach]

I was having this exact same issue - turned out my image tag wasn't properly structured, I had registry.gitlab.com/project-name:version instead of registry.gitlab.com/gitlab-group/project-name:version

[cforce]

@miigotu Your working solution is nice, but can you explain what are /was the exact turn points which make it work and before didn't for the docker buildx command . Thanks once again for clarifying
@itkach Of course repository urls for project repos which are below a group will also include the group in the repo path. Your comment is misleading as someone might think all gitlab docker repos in gitlab are at the main domain path, but it depends.

[miigotu]

@miigotu Your working solution is nice, but can you explain what are /was the exact turn points which make it work and before didn't for the docker buildx command . Thanks once again for clarifying
@itkach Of course repository urls for project repos which are below a group will also include the group in the repo path. Your comment is misleading as someone might think all gitlab docker repos in gitlab are at the main domain path, but it depends.

All of them are in a "group", which is your username or organization that the repo is under. You can't push to gitlab's root domain. Aside from that idk what your question means?

[cforce]

For me it was just an simple issue with the ~/.docker/config.json . Delete it and run
"docker login registry.gitlab.com" - then use your gitlab user name and token (with read/write registry) rights and it works and auth is stored, so next time will reuse. Maybe "docker logout registry.gitlab.com" would have achieved the same - cleanup some token/auth state mess