1

I am trying to add a custom package to a cloud function on GCP, I have the the right permission, and can import packages when I follow this tutorial in the same GCP project.

I cannot add artifact from an external GCP project, even if I give manually the role: Artifact Registry Reader to the service account deploying the cloud function.

I also posted an issue on the google cloud platform issue tracker

Benjamin Breton
  • 1,388
  • 1
  • 13
  • 42
  • Does this answer your question? [Cannot add private python dependency to cloud function](https://stackoverflow.com/questions/72106196/cannot-add-private-python-dependency-to-cloud-function) – Robert G May 09 '22 at 01:24
  • @RobertG, It doesn't unfortunately, this only works in the same GCP project – Benjamin Breton May 09 '22 at 05:22

2 Answers2

1

I updated the Google issue tracker with my findings while investigating and answering this question

I'll put a short summary from that answer below, but see my answer there for more details.

Summary

So, to summarize, the first authentication to the repo is done with whatever SA you use.
Stupidly enough, the download itself is done with the inbuilt SA for Cloud Build from the project you are deploying the Cloud Function to. IMHO this should be done by the same SA as the first.

Note that the format for the inbuilt SA for Cloud Build is <PROJECT-NUMBER>@cloudbuild.gserviceaccount.com

Edo Akse
  • 4,051
  • 2
  • 10
  • 21
0

I believe this is working as expected, per official documentation.

If Cloud Functions and Artifact Registry are in different projects, you must grant repository access to the Cloud Build service account.

The Artifact Registry role needs to be given to the Cloud Build service account, and not to the Cloud Functions SA.

I know this is not the most intuitive thing to do :)

Gourav B
  • 864
  • 5
  • 17