从不同项目访问 GCP Docker 图像
[英]Access GCP Docker image from different project
问题描述
I have two GCP projects.
我有两个 GCP 项目。 projectA contains an artifact registry where I store my docker images, projectB is where I want to use such an image to deploy it with app-engine (flexible). projectA 包含一个工件注册表,我在其中存储我的 docker 图像,projectB 是我想使用这样的图像通过应用程序引擎(灵活)部署它的地方。
Here's how my command looks like:这是我的命令的样子:
gcloud app deploy --project=projectB --version=test1 --image-url="asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest"
It fails like this:它像这样失败:
ERROR: (gcloud.app.deploy) Error Response: [7] The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image [asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest].
I ensured that the App Engine default service account has the Storage Object Viewer role (in both projects), however I cannot find an App Engine Flexible service account anywhere.我确保App Engine default service account具有Storage Object Viewer角色(在两个项目中),但是我无法在任何地方找到App Engine Flexible service account 。
2 个解决方案
解决方案1
2 2021-08-16 04:59:50
You will need to make sure that App Engine default service account of projectB has access to gcs bucket in projectA.您需要确保项目 B 的App Engine default service account可以访问项目 A 中的 gcs 存储桶。
You should go to projectA to "IAM" (not "Service Accounts"), There you will be able to add the email address of App Engine default service account from projectB .您应该将 go 到 projectA 到“IAM”(而不是“服务帐户”),在那里您将能够从 projectB 添加App Engine default service account的projectB地址。
解决方案2
2 已采纳 2021-08-16 08:24:41
On Google Cloud, you have 2 container registry product: Container registry and artifact registry.在 Google Cloud 上,您有 2 个容器注册表产品:容器注册表和工件注册表。
When you use Container Registry, the legacy one, the Kunal answer is correct, you need to grant the service account as Storage Object Viewer on your project.当您使用 Container Registry(旧版)时,Kunal 的回答是正确的,您需要在您的项目中将服务帐户授予 Storage Object Viewer。
However, a major evolution of the new registry Artifact Registry, is the IAM compatibility.然而,新注册表 Artifact Registry 的一个主要演变是 IAM 兼容性。 This time you can grant, not a project scope (even if you can, but I don't recommend it), but at registry scope. And you have an IAM role dedicated to that.这次您可以授予的不是项目 scope(即使您可以,但我不推荐),而是在注册表 scope 中。您有一个 IAM 角色专用于此。
Go to Artifact Registry, select it (check box on the left) and go to the permission panel on the right hand side Go 到 Artifact Registry,select it(左侧的复选框)和 go 到右侧的权限面板
Click on add member, add your service account and select the correct role, here artifact reader is enough点击add member,添加你的service account和select 正确的role,这里神器阅读器就够了
(it also works if you grant your service account at project scope of course, with the same role) (当然,如果您在项目 scope 授予您的服务帐户具有相同的角色,它也有效)
EDIT 1编辑 1
You can grant this role at project level also您也可以在项目级别授予此角色
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.