'Why Can't I Pull Google Artifact Registry Docker Images Build with Google Cloud Build?

I created a Docker image ($DOCKER_IMAGE_NAME) using Google Cloud Build (GCB). I don't seem to be able to pull $DOCKER_IMAGE_NAME:

docker pull us-central1-docker.pkg.dev/. . ./$DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG

#=>

Error response from daemon: Get https://us-central1-docker.pkg.dev/. . ./$DOCKER_IMAGE_NAME/v1: denied: Permission "artifactregistry.repositories.downloadArtifacts"denied on resource "projects/. . ./$DOCKER_REPOSITORY_NAME" (or it may not exist)

How can I pull $DOCKER_IMAGE_NAME?

Solution 1:^[1]

The error message seems to indicate that you need to grant permissions.

You will need to run the add-iam-policy-binding command:

gcloud projects add-iam-policy-binding $PROJECT \
--member=$MEMBER \
--role=$ROLE

where $ROLE is artifactregistry.repositories.downloadArtifacts.

See this for more information.

Solution 2:^[2]

You also need to add role related to Artifact to your service account. Even if your service account has a owner role it wont work because GCP artifact repo has its own permissions boundary.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	Mike
Solution 2	Devang Pandya

'Why Can't I Pull Google Artifact Registry Docker Images Build with Google Cloud Build?

Solution 1:[1]

Solution 2:[2]

Sources

Related Questions

Solution 1:^[1]

Solution 2:^[2]