stackoom
  简体   繁体   中英

Access GCP Docker image from different project

 原文  2021-08-16 04:44:16       docker/ google-cloud-platform/ app-engine-flexible

Question

I have two GCP projects. projectA contains an artifact registry where I store my docker images, projectB is where I want to use such an image to deploy it with app-engine (flexible).

Here's how my command looks like:

gcloud app deploy --project=projectB --version=test1 --image-url="asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest"

It fails like this:

ERROR: (gcloud.app.deploy) Error Response: [7] The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image [asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest]. Please check that the App Engine default service account has the [Storage Object Viewer] role and the App Engine Flexible service account has the App Engine Flexible Environment Service Agent role

I ensured that the App Engine default service account has the Storage Object Viewer role (in both projects), however I cannot find an App Engine Flexible service account anywhere.

2 answers

solution1
 2  2021-08-16 04:59:50

You will need to make sure that App Engine default service account of projectB has access to gcs bucket in projectA.

You should go to projectA to "IAM" (not "Service Accounts"), There you will be able to add the email address of App Engine default service account from projectB .

solution2
 2 ACCPTED  2021-08-16 08:24:41

On Google Cloud, you have 2 container registry product: Container registry and artifact registry.

When you use Container Registry, the legacy one, the Kunal answer is correct, you need to grant the service account as Storage Object Viewer on your project.

However, a major evolution of the new registry Artifact Registry, is the IAM compatibility. This time you can grant, not a project scope (even if you can, but I don't recommend it), but at registry scope. And you have an IAM role dedicated to that.

Go to Artifact Registry, select it (check box on the left) and go to the permission panel on the right hand side 在此处输入图像描述

Click on add member, add your service account and select the correct role, here artifact reader is enough在此处输入图像描述

(it also works if you grant your service account at project scope of course, with the same role)

EDIT 1

You can grant this role at project level also在此处输入图像描述

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question GCP - Not able to Push docker image from Compute Engine to Container Registry What docker image does GCP AI notebooks actually use? Cannot mount Cloud Filestore from the deeplearning image Access GCP project with company email "nongmail" and password Restrict access to GCP organisation and project resources by location how to deploy docker image in gcp vm workload identity can work 2 different GCP project? Do I need a Provate VPC to Allow Cloud SQL Access from another GCP project? Getting a list of all project owners from GCP How to use an image from container registry in different project? How to give users access to app script managed by a GCP Project
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM