I have two GCP projects. projectA contains an artifact registry where I store my docker images, projectB is where I want to use such an image to deploy it with app-engine (flexible).
Here's how my command looks like:
gcloud app deploy --project=projectB --version=test1 --image-url="asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest"
It fails like this:
ERROR: (gcloud.app.deploy) Error Response: [7] The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image [asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest]. Please check that the App Engine default service account has the [Storage Object Viewer] role and the App Engine Flexible service account has the App Engine Flexible Environment Service Agent role
I ensured that the App Engine default service account
has the Storage Object Viewer
role (in both projects), however I cannot find an App Engine Flexible service account
anywhere.
You will need to make sure that App Engine default service account
of projectB has access to gcs bucket in projectA.
You should go to projectA to "IAM" (not "Service Accounts"), There you will be able to add the email address of App Engine default service account
from projectB
.
On Google Cloud, you have 2 container registry product: Container registry and artifact registry.
When you use Container Registry, the legacy one, the Kunal answer is correct, you need to grant the service account as Storage Object Viewer on your project.
However, a major evolution of the new registry Artifact Registry, is the IAM compatibility. This time you can grant, not a project scope (even if you can, but I don't recommend it), but at registry scope. And you have an IAM role dedicated to that.
Go to Artifact Registry, select it (check box on the left) and go to the permission panel on the right hand side
Click on add member, add your service account and select the correct role, here artifact reader is enough
(it also works if you grant your service account at project scope of course, with the same role)
EDIT 1
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.