Hi @nsankaraiya,

Welcome to Google Cloud Community!

The "permission denied" error encountered when a service account with the artifactregistry.reader role tries to download an artifact from a remote Docker Hub repository in Artifact Registry is likely due to the fact that the artifactregistry.reader role does not include the artifactregistry.repositories.downloadArtifacts permission. This permission is specifically required for the download operation, especially when accessing remote repositories.

To resolve this issue, it is recommended to explicitly grant the artifactregistry.repositories.downloadArtifacts permission to the service account on the asia-docker.pkg.dev/PROJECT_NAME/dockerhub-proxy repository. If the download is being triggered by Cloud Build, ensure that the Cloud Build service account also has this permission. Additionally, proper Docker authentication using the service account's credentials should be set up in both the Cloud Shell environment (for testing) and within the Cloud Build pipeline. If the upstream Docker Hub repository is private, make sure that the remote Artifact Registry repository is configured with the appropriate authentication details.

Always follow the principle of least privilege when granting permissions, ensuring the service account has only the necessary access to perform its tasks. Regularly monitor IAM policies and Artifact Registry access logs to maintain proper access control and assist in troubleshooting any future issues.

If the issue persists, you can reach out to Google Cloud Support. When reaching out, include detailed information and relevant screenshots of the errors you’ve encountered. This will assist them in diagnosing and resolving your issue more efficiently.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.