Assume I have two projects like [GCR-project] and [read-project]. I want to pull images stored in GCR in [GCR-project] from a VM in [read-project]
I have already referred this, but did not work. I tried two ways namely,
1. Adding service account to IAM:
I added [read-project]'s VM service account mail to [GCR-project] with role set to Storage > Storage Object Viewer. Now, trying to pull docker container in [read-project]'s VM using the command
docker pull asia.gcr.io/<GCR-project-id>/<folder>/<container-name>
failed with 403. I also tried this command:
gcloud docker pull asia.gcr.io/sharedproject-156002/em/textextractor:8-jre-p4
which also failed with 403. I tried upgrading the role to editor role to the service account in IAM. After this also, docker pull command failed with 403.
2. Adding service account to gsutil acl:
All GCR repositories are actually cloud storage buckets. So, I tried editing the bucket acl to allow read permissions for the [read-project]'s VM service account by using the command:
gsutil acl ch -u <service-account-mailID>:R gs://artifacts.$PROJECT_ID.appspot.com
After this trying out docker pull command also failed with 403.
How to pull docker images from VM of different project? I would also like to know to access docker images in GCR from VM other than GCP like AWS.
