Troubleshooting
Problem
Error observed similar to the following example:
Failed to pull image "cp.icr.io/cp/cp4s/cp4s-couch-init:1.9.3.0-amd64":
rpc error: code = Unknown desc = Error reading manifest 1.9.3.0-amd64 in
cp.icr.io/cp/cp4s/cp4s-couch-init: denied: insufficient scope
Symptom
There are 2 possible places to view this error message.
- The error message is visible in the output of the "oc describe pod" command in the events section.
- The error message is visible in the output of the "oc get events" command.
Error message example:
Failed to pull image "cp.icr.io/cp/cp4s/cp4s-couch-init:1.9.3.0-amd64":
rpc error: code = Unknown desc = Error reading manifest 1.9.3.0-amd64 in
cp.icr.io/cp/cp4s/cp4s-couch-init: denied: insufficient scope
Cause
For this scenario, the credentials provided in the "ibm-entitlement-key" secret under the Cloud Pak for Security namespace are invalid and thus fail to allow access to the IBM "cp.icr.io" image registry.
Diagnosing The Problem
You can check whether the "ibm-entitlement-key" is invalid by performing the following steps.
Log in to the cluster as an Administrator.
Log in to the "cp.icr.io" registry by using the following command.
podman login --username cp --password $(oc extract secret/ibm-entitlement-key --to - --keys .dockerconfigjson | jq -r '.auths."cp.icr.io".password')
Run the following command to try pulling the image that is showing as failing in the event logs.
podman pull cp.icr.io/cp/cp4s/isc-ambassador:1.10.8.0-amd64
Trying to pull cp.icr.io/cp/cp4s/isc-ambassador:1.10.8.0-amd64...
Getting image source signatures
Checking if image destination supports signatures
Copying blob e34698d74bbc done
Copying blob e34698d74bbc done
..(etc truncated output)
Copying config 339c7fe6f4 done
Writing manifest to image destination
Storing signatures
339c7fe6f47c26cee01d37e39771cd2f7f80925b9c72e31ccbfb5d7392e6631b
If the message appears, "Failed to pull image ....denied: insufficient scope", then a new "ibm-entitlement-key" is needed.
Resolving The Problem
Make sure that you have a valid "ibm-entitlement-key", which can be acquired from https://myibm.ibm.com/
Refer to your IBM Account Manager.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Administration Task"}],"ARM Case Number":"TS011847804","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
30 September 2023
UID
ibm16955061