7

I am trying to create a service role for a drone instance which builds and pushed a docker image to Google Container Registry.

It works with the role project>owner (presumably project>editor would work too). I have not been able to find a way to restrict it only to have permission to push to GCR, or find out what the minimal permissions are.

Service account roles

Stan Bondi
  • 4,118
  • 3
  • 24
  • 35

1 Answers1

5

There is no permission to only allow it to push to GCR. The minimum permission to allow push is "Storage Object Creator". And this permission also allows the user to write to Google Cloud Storage, as suggested by the role's name.

Update: The correct minimum permission (IAM role) to allow push is "Storage Admin" based on current implementation.

Wei
  • 309
  • 2
  • 2
  • That makes sense, unfortunately, I still get permission denied when using a service key with the "Storage > Object Creator" role. "Project > Editor" works, but it would be great to limit the scope of the JSON key. – Stan Bondi Oct 03 '16 at 12:16
  • Do you need to create a bucket when you push to GCR? I.e. in your image name, gcr.io/foo/bar:some_tag, is "foo" a new bucket when you tried to push (or, in another word, do you have gcr.io/foo/some_other_image already when your service role tried to push gcr.io/foo/bar:some_tag)? – Wei Oct 03 '16 at 14:05
  • Yup, the repo exists. The tag obviously doesn't, but I doubt that makes a difference. Perhaps I should triple check because what you are saying makes perfect sense, so possibly I've missed something silly. Can I ask, have you tested a service key making sure it just has this permission and gotten it to push? – Stan Bondi Oct 03 '16 at 14:26
  • Hi, Just to make sure we are not missing anything obvious before we spend time investigating other possibilities, do the repos belong to the same domain when you say "the repo exists"? I.e. If you already have gcr.io/foo/bar:latest, and but you don't have any gcr.io/foo/xxx images (where domain can be us, asia, eu), when you want to push gcr.io/foo/xxx images, only having Storage.Object.creator is not enough, because behind the scene a new bucket dedicated for this domain need to be created, and in that case you will need to be project editor or project owner. – Wei Oct 03 '16 at 17:25
  • Yup, always using eu.gcr.io - permission is denied with Object Creator. I'll test Storage > Admin at some point (bit busy to keep coming back to this ATM) and get back to you. Thanks for your help, and let me know if you think of a reason why Object Creator isn't enough. – Stan Bondi Oct 04 '16 at 13:58