服务帐户无法将 Docker 图像推送到 Google Artifact Registry
Service Account Unable to Push Docker Image to Google Artifact Registry
我正在尝试 push Docker 图片到 Google Artifact Registry (GAR),同时模拟服务帐户 ($SERV_ACCT_EMAIL):
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/$GCP_PROJECT_ID/locations/us-west1/repositories/$GAR_REPOSITORY" (or it may not exist)
$SERV_ACCT_EMAIL 具有 Artifact Registry Writer (roles/artifactregistry.writer) 和 Artifact Registry Reader (roles/artifactregistry.reader) 角色;后者具有 artifactregistry.repositories.downloadArtifacts 权限。因此,如果资源被授予access to $SERV_ACCT_EMAIL,我相信我确实能够push那些神器。
如何在冒充 $SERV_ACCT_EMAIL 时 push 进入 GAR?
在模拟您的服务帐户 ($SERVICE_ACCOUNT_EMAIL) 时,您可能需要 configure-docker:
检查以确保您仍在冒充 $SERVICE_ACCOUNT_EMAIL:
gcloud auth list
#=>
Credentialed Accounts
ACTIVE ACCOUNT
. . .
* $SERVICE_ACCOUNT_EMAIL
. . .
如果没有:
gcloud auth activate-service-account \
"$SERVICE_ACCOUNT_EMAIL" \
--key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH
#=>
Activated service account credentials for: [$SERVICE_ACCOUNT_EMAIL]
运行 针对 auth 组的 configure-docker 命令:
gcloud auth configure-docker us-west1-docker.pkg.dev
#=>
. . .
Adding credentials for: us-west1-docker.pkg.dev
. . .
最后,再次尝试 push 使用 Docker 图像。
我正在尝试 push Docker 图片到 Google Artifact Registry (GAR),同时模拟服务帐户 ($SERV_ACCT_EMAIL):
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/$GCP_PROJECT_ID/locations/us-west1/repositories/$GAR_REPOSITORY" (or it may not exist)
$SERV_ACCT_EMAIL 具有 Artifact Registry Writer (roles/artifactregistry.writer) 和 Artifact Registry Reader (roles/artifactregistry.reader) 角色;后者具有 artifactregistry.repositories.downloadArtifacts 权限。因此,如果资源被授予access to $SERV_ACCT_EMAIL,我相信我确实能够push那些神器。
如何在冒充 $SERV_ACCT_EMAIL 时 push 进入 GAR?
在模拟您的服务帐户 ($SERVICE_ACCOUNT_EMAIL) 时,您可能需要 configure-docker:
检查以确保您仍在冒充
$SERVICE_ACCOUNT_EMAIL:gcloud auth list #=> Credentialed Accounts ACTIVE ACCOUNT . . . * $SERVICE_ACCOUNT_EMAIL . . .如果没有:
gcloud auth activate-service-account \ "$SERVICE_ACCOUNT_EMAIL" \ --key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH #=> Activated service account credentials for: [$SERVICE_ACCOUNT_EMAIL]运行 针对
auth组的configure-docker命令:gcloud auth configure-docker us-west1-docker.pkg.dev #=> . . . Adding credentials for: us-west1-docker.pkg.dev . . .最后,再次尝试
push使用 Docker 图像。