'Service Account Unable to Push Docker Image to Google Artifact Registry
I am trying to push a Docker image to Google Artifact Registry (GAR) while impersonating a Service Account ($SERV_ACCT_EMAIL):
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/$GCP_PROJECT_ID/locations/us-west1/repositories/$GAR_REPOSITORY" (or it may not exist)
$SERV_ACCT_EMAIL has Artifact Registry Writer (roles/artifactregistry.writer) and Artifact Registry Reader (roles/artifactregistry.reader) roles; the latter of which has the permission artifactregistry.repositories.downloadArtifacts. Thus, if the resource is granted access to $SERV_ACCT_EMAIL, I believe I will indeed be able to push those artifacts.
How do I push to GAR while impersonating $SERV_ACCT_EMAIL?
Solution 1:[1]
You may need to configure-docker while impersonating your service account ($SERVICE_ACCOUNT_EMAIL):
Check to make sure you are still impersonating
$SERVICE_ACCOUNT_EMAIL:gcloud auth list #=> Credentialed Accounts ACTIVE ACCOUNT . . . * $SERVICE_ACCOUNT_EMAIL . . .if not:
gcloud auth activate-service-account \ "$SERVICE_ACCOUNT_EMAIL" \ --key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH #=> Activated service account credentials for: [$SERVICE_ACCOUNT_EMAIL]Run the
configure-dockercommand against theauthgroup:gcloud auth configure-docker us-west1-docker.pkg.dev #=> . . . Adding credentials for: us-west1-docker.pkg.dev . . .Finally, try
pushing the Docker image again.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Mike |