GCP yum artifact registry 403 when imported from packer instance

Question

I am trying to install a package from the yum repository created using the GCP Artifact registry within a packer instance. I am able to install the package if the repository has public access to allUsers however, it fails if the principal is limited to a service account even though the sa has roles/artifactregistry.admin or roles/artifactregistry.reader role. The packer is using Default network with the scope of "https://www.googleapis.com/auth/cloud-platform" and the appropriate service_account_email, and account json options.

Errors during downloading metadata for repository 'MyRepository':
  - Status code: 403 for https://us-central1-yum.pkg.dev/projects/project-xyz/repo-rhel8/repodata/repomd.xml (IP: 142.250.125.82)
Error: Failed to download metadata for repo 'MyRepository': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried

kindly request your help with this problem.

Answer 1

The problem is solved by installing yum-plugin-artifact-registry. I was using rhel8 and this package was not found. After looking into the PR (https://github.com/GoogleCloudPlatform/artifact-registry-yum-plugin/pull/14), found that I have to install dnf-plugin-artifact-registry which is found in the default registries and then was able to get my custom repo

Answer 2

There are many possibilities why you got above error: You need to verify the VM has an associated service account.

1. Goto VM instance page
2. In the list of VMs, check the name of your VM and on the details tab, the service account and access scopes appear under API and IM; by default they will use compute engine default service account; you need to change that as per your account. Please check this document.
3. You need to check the VM service account has read the permissions to the repository as well as the cloud platform API access scope.