服务帐户无法将 Docker 图像推送到 Google Artifact Registry

Service Account Unable to Push Docker Image to Google Artifact Registry

我正在尝试 push Docker 图片到 Google Artifact Registry (GAR),同时模拟服务帐户 ($SERV_ACCT_EMAIL):

denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource "projects/$GCP_PROJECT_ID/locations/us-west1/repositories/$GAR_REPOSITORY" (or it may not exist)

$SERV_ACCT_EMAIL 具有 Artifact Registry Writer (roles/artifactregistry.writer) 和 Artifact Registry Reader (roles/artifactregistry.reader) 角色;后者具有 artifactregistry.repositories.downloadArtifacts 权限。因此,如果资源被授予access to $SERV_ACCT_EMAIL,我相信我确实能够push那些神器。

如何在冒充 $SERV_ACCT_EMAILpush 进入 GAR?

在模拟您的服务帐户 ($SERVICE_ACCOUNT_EMAIL) 时,您可能需要 configure-docker

  1. 检查以确保您仍在冒充 $SERVICE_ACCOUNT_EMAIL:

    gcloud auth list
    
    #=>
    
    Credentialed Accounts
    ACTIVE  ACCOUNT
            . . .
    *       $SERVICE_ACCOUNT_EMAIL
            . . .
    

    如果没有:

    gcloud auth activate-service-account \
    "$SERVICE_ACCOUNT_EMAIL" \
    --key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH
    
    #=>
    
    Activated service account credentials for: [$SERVICE_ACCOUNT_EMAIL]
    
  2. 运行 针对 auth 组的 configure-docker 命令:

    gcloud auth configure-docker us-west1-docker.pkg.dev
    
    #=>
    
    . . .
    Adding credentials for: us-west1-docker.pkg.dev
    . . .
    
  3. 最后,再次尝试 push 使用 Docker 图像。