Reputation: 199
Permission error when setting IAM policy on Artifact Registry in GCP
I'm following this guide and getting stuck at step 3. When I run
gcloud artifacts repositories add-iam-policy-binding [myrepo] \
--location us \
--member=serviceAccount:build-robot@[myproject].iam.gserviceaccount.com \
--role=roles/artifactregistry.writer
I get PERMISSION_DENIED: The caller does not have permission.
gcloud is running as roles/Owner (myself) so I definitely have permission to perform the action.
I can add a project binding for the service account with role roles/cloudbuild.builds.builder, and this works (I can push and pull images from the artifact registry using the build-robot service account), but is far too permissive for what I want the service account to do.
Upvotes: 0
Views: 2906
Answers (1)
Reputation: 64
Sometimes this error may happen due to the specified location in the --location tag not being the correct one.
Check that the artifact to which you're granting permissions is in US, as the tutorial you shared assumes you've created it in US, or otherwise change the location tag accordingly.
Upvotes: 3
Related Questions
- GCP yum artifact registry 403 when imported from packer instance
- GCP IAM: Binding role to Service Account fails
- Can't push image to google container registry - Caller does not have permission 'storage.buckets.get'
- Permission denied when creating GCP Service Account Key
- Unable to add iam policy binding to service account using Google deployment manager
- You need permissions for this action. Required permission(s): resourcemanager.projects.setIamPolicy
- Google Cloud Platform: Minimal IAM permissions for gcloud command
- Permission Denied - GCP Cloud Resource Manager setIamPolicy
- How to set service account permission from IAM api
- Problems with permissions on Google Cloud IAM