Buildx: insufficient_scope: authorization failed

[wajda]

Description

Unable to push to the docker.io when executing multi-arch build.
When the docker.platform parameter is not specified everything works as expected - the image is built and successfully pushed to the Docker Hub. It is adding --Ddocker.platform=something makes the push to fail with the following message. I suspect something is wrong with the generated buildx config, and the credentials just aren't propagated correctly.

[INFO] --- docker-maven-plugin:0.43.0:push (docker-push) @ spline-web-ui ---
[INFO] Expanding: /home/wajda/Projects/spline-ui/deployment/web/target/docker/docker.io/wajda/spline-web-ui/tmp/docker-build.tar into /home/wajda/Projects/spline-ui/deployment/web/target/docker/docker.io/wajda/spline-web-ui/tmp/docker-build
[INFO] DOCKER> docker --config /home/wajda/Projects/spline-ui/deployment/web/target/docker/docker.io/wajda/spline-web-ui/docker buildx build --progress=plain --builder maven --platform linux/amd64 --tag docker.io/wajda/spline-web-ui:latest --tag docker.io/wajda/spline-web-ui:1.0.0-SNAPSHOT --tag docker.io/wajda/spline-web-ui:latest --build-arg PROJECT_ARTIFACT_ID=spline-web-ui --build-arg PROJECT_BASEDIR=/home/wajda/Projects/spline-ui/deployment/web --build-arg PROJECT_BUILD_DIRECTORY=/home/wajda/Projects/spline-ui/deployment/web/target --build-arg PROJECT_BUILD_FINAL_NAME=spline-web-ui-1.0.0-SNAPSHOT --build-arg PROJECT_GROUP_ID=za.co.absa.spline.ui --build-arg PROJECT_NAME=Spline Web UI --build-arg PROJECT_VERSION=1.0.0-SNAPSHOT --file=/home/wajda/Projects/spline-ui/deployment/web/target/docker/docker.io/wajda/spline-web-ui/tmp/docker-build/Dockerfile /home/wajda/Projects/spline-ui/deployment/web/target/docker/docker.io/wajda/spline-web-ui/tmp/docker-build --push
[INFO] DOCKER> #1 [internal] load .dockerignore
[INFO] DOCKER> #1 transferring context: 2B done
[INFO] DOCKER> #1 DONE 0.0s
[INFO] DOCKER> 
[INFO] DOCKER> #2 [internal] load build definition from Dockerfile
[INFO] DOCKER> #2 transferring dockerfile: 983B done
[INFO] DOCKER> #2 DONE 0.0s
[INFO] DOCKER> 
[INFO] DOCKER> #3 [internal] load metadata for docker.io/library/tomcat:9-jre11-openjdk-slim-buster
[INFO] DOCKER> #3 DONE 0.2s
[INFO] DOCKER> 
[INFO] DOCKER> #4 [internal] load build context
[INFO] DOCKER> #4 transferring context: 207B done
[INFO] DOCKER> #4 DONE 0.0s
[INFO] DOCKER> 
[INFO] DOCKER> #5 [1/3] FROM docker.io/library/tomcat:9-jre11-openjdk-slim-buster@sha256:85970dddc4880911d76288f882298bb3d981cb5e2059dcb79751416ed8dd450e
[INFO] DOCKER> #5 resolve docker.io/library/tomcat:9-jre11-openjdk-slim-buster@sha256:85970dddc4880911d76288f882298bb3d981cb5e2059dcb79751416ed8dd450e
[INFO] DOCKER> #5 resolve docker.io/library/tomcat:9-jre11-openjdk-slim-buster@sha256:85970dddc4880911d76288f882298bb3d981cb5e2059dcb79751416ed8dd450e 0.0s done
[INFO] DOCKER> #5 DONE 0.0s
[INFO] DOCKER> 
[INFO] DOCKER> #6 [2/3] RUN rm -rf /usr/local/tomcat/webapps/*
[INFO] DOCKER> #6 CACHED
[INFO] DOCKER> 
[INFO] DOCKER> #7 [3/3] COPY target/*.war /usr/local/tomcat/webapps/ROOT.war
[INFO] DOCKER> #7 CACHED
[INFO] DOCKER> 
[INFO] DOCKER> #8 exporting to image
[INFO] DOCKER> #8 exporting layers done
[INFO] DOCKER> #8 exporting manifest sha256:abd86987e9966b0a9ac9bc7e632367f0b3e36c0f7ead97eed61413cbc54df095 0.0s done
[INFO] DOCKER> #8 exporting config sha256:281a2c10360c4ff4953110bf6b9db73787590df7b2838b021f607ae553271a0b done
[INFO] DOCKER> #8 exporting attestation manifest sha256:10f7b3b54263bb0b669883af2c27cf030217b5ce6c8d52394c48092f5bedb41d 0.1s done
[INFO] DOCKER> #8 exporting manifest list sha256:47d9bd5cb429656b9448c3131dcf33d61016c8d957e2bff187b016c43d0cdf6b
[INFO] DOCKER> #8 exporting manifest list sha256:47d9bd5cb429656b9448c3131dcf33d61016c8d957e2bff187b016c43d0cdf6b 0.0s done
[INFO] DOCKER> #8 pushing layers
[INFO] DOCKER> #8 pushing layers 1.0s done
[INFO] DOCKER> #8 ERROR: failed to push docker.io/wajda/spline-web-ui:latest: server message: insufficient_scope: authorization failed
[INFO] DOCKER> ------
[INFO] DOCKER>  > exporting to image:
[INFO] DOCKER> ------
[INFO] DOCKER> ERROR: failed to solve: failed to push docker.io/wajda/spline-web-ui:latest: server message: insufficient_scope: authorization failed
[ERROR] DOCKER> Error status (1) when building
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------

I specify credentials in the Maven settings.xml (I also tried differnt auth methods described in the plugin doc, but neither worked):

<settings>
    <servers>
        <server>
            <id>docker.io</id>
            <username>wajda</username>
            <password>****</password>
        </server>
    </servers>
</settings>

What I have also noticed is that it is somehow relevant to the way how the :

<configuration>
    <images>
        <image>
            <name>docker.io/wajda/spline-web-ui</name>
        </image>
    </images>
</configuration>

I have also noticed that when I specify the image name like this wajda/spline-web-ui and not specify registry (defaulting to docker.io AFAIK) then it works! But if I specify the registry explicitly like <registry>docker.io</registry> or as a part of the image name docker.io/wajda/spline-web-ui I always get "insufficient_scope: authorization failed" error.

Info

• docker-maven-plugin version : 0.43.0
• Maven version (mvn -v) :

Apache Maven 3.8.6 (Red Hat 3.8.6-4)
Maven home: /usr/share/maven
Java version: 11.0.19, vendor: Red Hat, Inc., runtime: /usr/lib/jvm/java-11-openjdk-11.0.19.0.7-1.fc38.x86_64
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "6.3.6-200.fc38.x86_64", arch: "amd64", family: "unix"

• Docker version :

Client: Docker Engine - Community
 Version:           24.0.2
 API version:       1.43
 Go version:        go1.20.4
 Git commit:        cb74dfc
 Built:             Thu May 25 21:53:42 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.2
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.4
  Git commit:       659604f
  Built:            Thu May 25 21:52:08 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.21
  GitCommit:        3dce8eb055cbb6872793272b4f20ed16117344f8
 runc:
  Version:          1.1.7
  GitCommit:        v1.1.7-0-g860f061
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

• If it's a bug, how to reproduce :
  Specify the registry in the image name and execute buildx build by specifying the target platform (docker.platforms=linux/amd64).