Google Artifact Registry Permission Denied for GitHub Actions
Problem Statement
You receive a Permission "artifactregistry.repositories.uploadArtifacts" denied error when pushing Docker images to Google Artifact Registry (GAR) using GitHub Actions. This typically occurs despite configuring authentication and IAM permissions due to:
- Missing Docker registry authentication
- Incorrect token usage
- Insufficient service account permissions (especially for Workload Identity Federation)
- Regional misconfiguration
- Docker configuration issues
denied: Permission "artifactregistry.repositories.uploadArtifacts"
denied on resource "projects/PROJECT_ID/locations/asia-south1/repositories/images"Solutions
1. Verify Service Account Permissions
Ensure your service account has these minimum IAM roles:
roles/artifactregistry.writer(for Artifact Registry)roles/iam.serviceAccountTokenCreator(if using Workload Identity Federation)
Verification
Use GCP IAM Policy Troubleshooter to confirm artifactregistry.repositories.uploadArtifacts permission
2. Configure Docker Registry Authentication
These methods work in GitHub Actions:
Option A: Using docker/login-action (Recommended)
- name: Login to GAR
uses: docker/login-action@v3
with:
registry: ${{ env.REGION }}-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }} # Critical: Use ACCESS_TOKENOption B: Manual Docker Login with Access Token
- name: Manual Docker Login
run: |
gcloud auth print-access-token --impersonate-service-account=$SA_EMAIL \
| docker login -u oauth2accesstoken --password-stdin https://${{ env.REGION }}-docker.pkg.devOption C: Configure Docker Helper
- name: Configure Docker Client
run: |
gcloud auth configure-docker ${{ env.REGION }}-docker.pkg.dev --quiet3. Workload Identity Federation Configuration
Ensure proper token format when using GHA authentication action:
- id: auth
uses: google-github-actions/auth@v1
with:
workload_identity_provider: 'projects/PROJECT_ID/locations/global/workloadIdentityPools/...'
service_account: 'service-account@project.iam.gserviceaccount.com'
token_format: access_token # Required for docker/login-action4. Regional Configuration
Explicitly define your GAR region in all commands:
env:
REGION: asia-south1 # Replace with your regionComplete Workflow Example
name: Build and Push to GAR
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Checkout
uses: actions/checkout@v4
- id: auth
uses: google-github-actions/auth@v1
with:
workload_identity_provider: ${{ secrets.PROVIDER }}
service_account: ${{ secrets.SERVICE_ACCOUNT }}
token_format: access_token
- name: Set up gcloud
uses: google-github-actions/setup-gcloud@v1
- name: Docker Login
uses: docker/login-action@v3
with:
registry: asia-south1-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Build and Push
run: |
docker build -t asia-south1-docker.pkg.dev/$PROJECT_ID/images/app:$GIT_TAG .
docker push asia-south1-docker.pkg.dev/$PROJECT_ID/images/app:$GIT_TAGCommon Pitfalls & Fixes
Wrong token output:
⚠️ Usesteps.auth.outputs.access_tokeninstead ofauth_tokenMissing Token Creator role:
Permission 'iam.serviceAccounts.getAccessToken' deniedFix: Grant
Service Account Token Creatorrole to GitHub Identity PoolRegional mismatch:
Ensure region matches in:- Artifact Registry URL
- Docker login registry
gcloud configure-dockercommand
Docker installation issues (WSL/Linux): Avoid snap installations - use official Docker install
Impersonation Note
Remove --impersonate-service-account if not explicitly enabled on service account
Following these solutions, prioritize docker/login-action for GitHub Actions workflows as it handles authentication cleanly without manual token management. Always verify both Artifact Registry permissions and token creator roles when using Workload Identity Federation.