Why Can't I Pull Google Artifact Registry Docker Images Build with Google Cloud Build?

Question

I created a Docker image ($DOCKER_IMAGE_NAME) using Google Cloud Build (GCB). I don't seem to be able to pull $DOCKER_IMAGE_NAME:

docker pull us-central1-docker.pkg.dev/. . ./$DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG

#=>

Error response from daemon: Get https://us-central1-docker.pkg.dev/. . ./$DOCKER_IMAGE_NAME/v1: denied: Permission "artifactregistry.repositories.downloadArtifacts"denied on resource "projects/. . ./$DOCKER_REPOSITORY_NAME" (or it may not exist)

How can I pull $DOCKER_IMAGE_NAME?

Answer 1

I saw the setup instructions from artifact registry at a later time (migrated from container registry) and it's needd to specify the region gcloud auth configure-docker europe-west1-docker.pkg.dev

Answer 2

You also need to add role related to Artifact to your service account. Even if your service account has a owner role it wont work because GCP artifact repo has its own permissions boundary.

Answer 3

The error message seems to indicate that you need to grant permissions.

You will need to run the add-iam-policy-binding command:

gcloud projects add-iam-policy-binding $PROJECT \
--member=$MEMBER \
--role=$ROLE

where $ROLE is artifactregistry.repositories.downloadArtifacts.

See this for more information.