stackoom
  简体   繁体   中英

Unable to deploy a Cloud Run Service using an image from another project

 原文  2021-01-25 13:55:55       google-cloud-run

Question

Getting this error when trying to deploy a Cloud Run Service using an image from another project on same organization.

" Google Cloud Run Service Agent must have permission to read the image, gcr.io/my-builds/consultoriaweb@sha256:8c655b2bab..... Ensure that the provided container image URL is correct and that the above account has permission to access the image. If you just enabled the Cloud Run API, the permissions might take a few minutes to propagate. Note that the image is from project [my-builds], which is not the same as this project [my-webapp]. Permission must be granted to the Google Cloud Run Service Agent from this project. "

I am selecting the image to deploy from container registry on my-builds project using Google Console web interface.

Already added IAM permission on [my-builds] project, tried both:

[my-webapp-project-number]-compute@developer.gserviceaccount.com => role Compute Image User

[my-webapp-project-number]@cloudservices.gserviceaccount.com => role Compute Image User

Google documentation says that I should just give roles/compute.imageUser role to:

[my-webapp-project-number]@cloudservices.gserviceaccount.com on my-builds project, but I can't get it to work.

Google documentation to Using Images from Other Projects, but I don't know if it applies to Cloud Run. https://cloud.google.com/deployment-manager/docs/configuration/using-images-from-other-projects-for-vm-instances#granting_access_to_images

Thanks in advance for any help on that

4 answers

solution1
 4 ACCPTED  2021-01-25 20:29:09

You mixed different things. A container image isn't a Compute Engine boot disk image.

So, you need to grant the Cloud Run service agent service account to access to the image to your other project. You can find the documentation here to grant access to GCR image.

Then you need to get your Cloud Run service agent service account which has this pattern

service-<projectNumber>@serverless-robot-prod.iam.gserviceaccount.com

Both combined, you can go to the console of the project hosting the container image; go to the IAM page, click on add

  • Add the Cloud Run Service agent service account as member
  • Grant the role: storage object viewer.

solution2
 2  2021-01-26 13:09:22

Thank you. Get it to work!

I found many different resources/docs about setting permission to cloud Run to pull container images from other projects. So I tested to discover the one that really is really needed:

For Artifacty Registry:

  • members:
    • serviceAccount:service-@serverless-robot-prod.iam.gserviceaccount.com role: roles/artifactregistry.reader

For Container Registry:

  • members:
    • serviceAccount:service-@serverless-robot-prod.iam.gserviceaccount.com role: roles/storage.objectViewer

Thank you again.

solution3
 0  2022-08-15 12:36:21

I got the same error today for one of my projects and I have found the official docs and wanted to share the steps here.

  1. In the console, open the project for your Cloud Run service.
  2. Check the checkbox labelled Include Google-provided role grants.
  3. Copy the email of the Cloud Run service agent. It has the suffix @serverless-robot-prod.iam.gserviceaccount.com (You can just do Control+F and search for@serverless-robot-prod.iam.gserviceaccount.com) (You should find the account from this page because the project-number is not the project-id.)
  4. Open the project that owns the container registry you want to use.
  5. Click Add to add a new principal.
  6. In the New principals text box, paste in the email of the service account that you copied earlier.
  7. In the Select a role dropdown list, if you are using Container Registry, select the role Storage -> Storage Object Viewer . If you are using Artifact Registry, select the role Artifact Registry -> Artifact Registry Reader.
  8. Deploy the container image to the project that contains your Cloud Run service.

You can follow the official docs from HERE

solution4
 0  2022-12-07 16:00:15

To answer to @mzafer, here the Terraform code I use to do it:

resource "google_project_iam_member" "run_gcr" {
  project = local.build_project
  role    = "roles/storage.objectViewer"
  member  = "serviceAccount:service-${google_project.main.number}@serverless-robot-prod.iam.gserviceaccount.com"
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Deploy a docker image on Google Cloud Run Unable to deploy datalust/seq to Google Cloud Run How to make a Fargate Service deploy the latest image from an ECR repository when a pipeline is run using CDK pipelines module? Deploy the docker image of a client on Cloud Run Firebase hosting deploy using service account created from different project Unable to run Azure Web Service from a docker image in an Azure Registry Want to deploy a Google Cloud Run service via Terraform Deploy php project with POST form on Google Cloud run Unable to deploy docker image to GKE using Jenkins Google Cloud Database Migration Service - Has anyone used DMS to migrate GCP postgres instance from one service project to another using VPC Peering?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM