gcrane: unable to transfer images from google container registry to google artifact registry

[biswalc]

Describe the bug

Following the guide from https://cloud.google.com/artifact-registry/docs/docker/copy-from-gcr

I attempted to transfer the images from GCR to GAR using gcrane and it failed.

Permissions:
The service account(biswal-actions-sa) used to do the operation has both the below permissions:

• roles/storage.objectViewer - at the project level.
• roles/artifactregistry.writer - on the destination repo.

Also the Google managed service account('serviceAccount:service-123456789@gcp-sa-artifactregistry.iam.gserviceaccount.com') has the permissions

• roles/storage.objectViewer

gcloud auth list shows the desirable active SA:

% gcloud auth list
                               Credentialed Accounts
ACTIVE  ACCOUNT
*              biswal-actions-sa@my-project.iam.gserviceaccount.com

Copy command executed:

gcrane cp -r us.gcr.io/my-project/my-analysis us-docker.pkg.dev/my-project/my-analysis/my-analysis

This generates the error:

52:29 retrying without mount: Post "https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxx&origin=us.gcr.io": context canceled

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

2024/03/29 22:52:29 retrying without mount: POST https://us-docker.pkg.dev/v2/my-project/my-analysis/my-analysis/blobs/uploads/?from=my-project%2Fmy-analysis&mount=sha256%xxxxxxx&origin=REDACTED: DENIED: Permission "artifactregistry.repositories.uploadArtifacts" denied on resource "projects/my-project/locations/us/repositories/my-analysis" (or it may not exist)

Error: failed to copy "sha256:xxxxxxxxx

When I do the following steps they work out fine:

docker pull us.gcr.io/my-project/my-analysis:latest

docker tag us.gcr.io/my-project/my-analysis:latest us-docker.pkg.dev/my-project/my-analysis/my-analysis:latest

docker push us-docker.pkg.dev/my-project/my-analysis/my-analysis:latest

Google Support mentioned trying the execution in Gcloud Shell, and I faced the same issue there.

To Reproduce

gcrane cp -r us.gcr.io/my-project/my-analysis us-docker.pkg.dev/my-project/my-analysis/my-analysis

Expected behavior

gcrane should process the source, and the Artifact Registry should be able to import the image layers without having to download them to the bastion machine where gcrane is running.

Additional context

Add any other context about the problem here.

• Output of crane version

% gcrane version
0.19.1

• Registry used (e.g., GCR, ECR, Quay)
  From GCR to GAR