Why Can't I Pull Google Artifact Registry Docker Images Build with Google Cloud Build?

Question

I created a Docker image ($DOCKER_IMAGE_NAME) using Google Cloud Build (GCB). I don't seem to be able to pull $DOCKER_IMAGE_NAME:

docker pull us-central1-docker.pkg.dev/. . ./$DOCKER_IMAGE_NAME:$DOCKER_IMAGE_TAG

#=>

Error response from daemon: Get https://us-central1-docker.pkg.dev/. . ./$DOCKER_IMAGE_NAME/v1: denied: Permission "artifactregistry.repositories.downloadArtifacts"denied on resource "projects/. . ./$DOCKER_REPOSITORY_NAME" (or it may not exist)

How can I pull $DOCKER_IMAGE_NAME?

Hi, yes, I wasn't logged in so I did and still the same Error response. — jose fernandez, Nov 25 '20 at 04:26
Are you authenticated with gcloud? If so, change your docker authentication like this `gcloud auth configure-docker -q`, and tell me if it's better. In addition, check the spelling of your registry/image with the gcloud command, example like this `gcloud beta artifacts repositories list` — guillaume blaquiere, Nov 25 '20 at 09:19
Perfect, I was able to pull and push from the registry as soon as ran the command. — jose fernandez, Nov 26 '20 at 03:33

score 4 · Answer 1 · edited Feb 24 '22 at 02:16

4

The error message seems to indicate that you need to grant permissions.

You will need to run the add-iam-policy-binding command:

gcloud projects add-iam-policy-binding $PROJECT \
--member=$MEMBER \
--role=$ROLE

where $ROLE is artifactregistry.repositories.downloadArtifacts.

See this for more information.

edited Feb 24 '22 at 02:16

Mike

1,080
1
9
25

answered Nov 25 '20 at 16:06

Gerb

486
2
6

score 0 · Answer 2 · answered May 13 '22 at 09:23

0

You also need to add role related to Artifact to your service account. Even if your service account has a owner role it wont work because GCP artifact repo has its own permissions boundary.

answered May 13 '22 at 09:23

Devang Pandya

1

1

You would only need to associate a role with a service account (`$SERVICE_ACCOUNT`) if you are impersonating `$SERVICE_ACCOUNT` when `pull`ing or `push`ing a Docker image from or to GAR. Posting an answer that involves impersonating `$SERVICE_ACCOUNT` would help someone who reaches this page in search of your answer, but only if you provide more supporting details and step-by-step instructions for associating a role (e.g.,`artifactregistry.repositories.downloadArtifacts`) with `$SERVICE_ACCOUNT` using the Cloud SDK (`gcloud`), the console and/or the REST API. Thank you. – Mike May 14 '22 at 03:05

score 0 · Answer 3 · answered Mar 03 '23 at 13:59

0

I saw the setup instructions from artifact registry at a later time (migrated from container registry) and it's needd to specify the region gcloud auth configure-docker europe-west1-docker.pkg.dev

answered Mar 03 '23 at 13:59

PCatinean

76
2

Why Can't I Pull Google Artifact Registry Docker Images Build with Google Cloud Build?

3 Answers3

Linked