9

I have two projects in Google Cloud. On the first project I have some images in the container registry and i'm using it in the gke.

When I trie to create a container in the second project, it gives me a error:

Error: Status 403 trying to pull repository project-1/image-x: "Access denied."

How can i use those images in the gke but in different project? I don't want to create the same images in the second project.

lucas.coelho
  • 894
  • 1
  • 9
  • 16
  • important question since you have multiple environments and a CI/CD pipeline to deploy on GKE, and i do have another question if you use cloud sql proxy, once the deployment yaml has the project id explicit, can you use external vars on deployment yaml? you can define env vars, but can you use/consume them ? – Tiago Medici Oct 06 '20 at 13:50

2 Answers2

10

In your second project (the GKE project), look at the IAM permissions and you will see a user similar to: 123456789-compute@developer.gserviceaccount.com.

Then in your first project (the container registry project), grant that user the Storage Object Viewer permission to allow GKE to pull images.

AllSySt3msG0
  • 133
  • 1
  • 7
  • More precisely, you need to check the service account, which is used by your VM instances which are k8s cluster worker nodes. – danman Nov 16 '20 at 16:31
3

You can modify who the images are visible to by using the access control settings available on the Google Cloud Storage bucket that they're stored in.

Reference: https://cloud.google.com/container-registry/docs/access-control

If you just want to make all your images readable to the entire world, then the command from this other StackOverflow answer should help: gsutil -m acl -r set public-read gs://bucket-name gsutil -m defacl set public-read gs://bucket-name

Community
  • 1
  • 1
Alex Robinson
  • 12,633
  • 2
  • 38
  • 55