Using Google Container Registry from GKE in another project

Question

How can a GKE cluster pull container images from a Container Registry hosted in another project?

I have a GKE cluster in project <reader-project> trying to access a GCR image in project <registry-project>.

I've tried adding the GCE service account email for <reader-project> as a User with Reader access on the storage bucket in <registry-project>, but I'm still getting the error:

<Error><Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>Caller does not have storage.objects.get access to object us.artifacts.<registry-project>.appspot.com/containers/images/sha256:<tag>.
</Details></Error>

Answer 1

Try to add GCE service account email as a User with Storage Object Viewer role. It gives the service account Read-Only access to GCS objects(container images) in your project.

Answer 2

Look at the IAM permissions of the project under which you have your GKE and you will see a user similar to: 123456789-compute@developer.gserviceaccount.com.

Then in your container registry project, grant that user the Storage Object Viewer permission. Your GKE will then be allowed to pull images from th

Answer 3

Can you run the following commands to check the permissions for both buckets:

gsutil acl get gs://us.artifacts..appspot.com

gsutil acl get gs://artifacts..appspot.com

artifacts..appspot.com is the default bucket. When you add the service account as Storage Object Viewer, read-only permission of the default bucket is granted.

Here is the link about gsutil tool: https://cloud.google.com/storage/docs/gsutil/commands/acl