Google Artifact Registry "Permission artifactregistry.repositories.uploadArtifacts denied" in CI
Artifact Registry authenticated your identity but the principal lacks the IAM permission to upload. The push needs artifactregistry.repositories.uploadArtifacts, granted by roles/artifactregistry.writer on the repo or project. Grant that role to the CI service account.
What this error means
docker push to *-docker.pkg.dev fails with "denied: Permission 'artifactregistry.repositories.uploadArtifacts' denied on resource ...".
denied: Permission "artifactregistry.repositories.uploadArtifacts" denied on
resource "projects/my-proj/locations/us/repositories/app" (or it may not exist)Common causes
The service account lacks the Writer role
Authentication succeeded but the principal has no uploadArtifacts permission, so Artifact Registry denies the push.
The repository does not exist or is in another location
The message also appears when the repo path is wrong; the resource cannot be written because it is not found at that location.
How to fix it
Grant Artifact Registry Writer to the CI principal
- Identify the service account the workflow authenticates as.
- Grant roles/artifactregistry.writer on the repository or project.
- Configure docker to use gcloud as a credential helper for *.pkg.dev.
gcloud artifacts repositories add-iam-policy-binding app \
--location=us --project=my-proj \
--member="serviceAccount:ci@my-proj.iam.gserviceaccount.com" \
--role="roles/artifactregistry.writer"Configure docker auth for Artifact Registry
Register the gcloud credential helper so docker can push to the regional host.
gcloud auth configure-docker us-docker.pkg.devHow to prevent it
- Grant roles/artifactregistry.writer to CI service accounts.
- Verify the full repo path (project, location, repository).
- Use Workload Identity Federation instead of long-lived keys.