Reputation: 1472
docker pull: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource
How do I give a new service account this permission?
I have a VM with "Compute Engine default service account" and it works.
I changed the service account to one with just:
Artifact Registry Administrator
Artifact Registry Reader
and this results in the above error on docker pull.
Thanks
Upvotes: 1
Views: 2200
Answers (2)
Reputation: 2498
This happens when you are trying to push/pull an image on a repository in which its specific hostname (associated with its repository location) is not yet added to the credential helper configuration for authentication.
For the gcloud credential helper or standalone credential helper, the Artifact Registry hosts you use must be in your Docker configuration file.
Artifact Registry does not automatically add all registry hosts to the Docker configuration file. Docker response time is significantly slower when there is a large number of configured registries. To minimize the number of registries in the configuration file, you add the hosts that you need to the file
You need to configure-docker while impersonating your service account ($SERVICE_ACCOUNT_EMAIL):
1. Run the following command to make sure you are still impersonating $SERVICE_ACCOUNT_EMAIL:
$ gcloud auth list
If the service account is not impersonated then run the following command:
$ gcloud auth activate-service-account \ "$SERVICE_ACCOUNT_EMAIL" \ --key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH
2. Run the configure-docker command against the auth group:
$ gcloud auth configure-docker <location>-docker.pkg.dev
3. Finally, try pulling the Docker image again.
Refer Authenticating to a repository and stackpost for more information.
Upvotes: 0
Reputation: 6582
Check if you are correctly configured Docker to be able to pull and push images to Artifact registry : https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling
You also have to be sure you are using the expected Service Account in the place where you execute your command.
If you execute from you local machine and bash, check if you are connected on the expected Service Account with :
gcloud auth activate-service-account --key-file=your_key_file_path.json
export GOOGLE_APPLICATION_CREDENTIALS=your_key_file_path.json
The permissions you given to you Service Account seems to be corrects to execute the needed action.
Upvotes: 1
Related Questions
- Unable to push Docker image into GCP container registry [permission error]
- Permission "artifactregistry.repositories.downloadArtifacts" denied on resource
- Why Can't I Pull Google Artifact Registry Docker Images Build with Google Cloud Build?
- Permission denied on docker pull from Google Cloud Compute
- Can't push image to google container registry - Caller does not have permission 'storage.buckets.get'
- GCloud: Failed to pull image (400) - Permission "artifactregistry.repositories.downloadArtifacts" denied
- Access denied pushing images to gcr repository
- gcp docker push - permission denied
- pull access denied for gcr.io
- Permission denied when pulling Docker image from Google Cloud Container Registry