This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

"artifactregistry.repositories.downloadArtifacts" not permitted for artifactregistry.reader SA

Posted on 02-13-2024 12:56 AM
Danieloni
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello community!

Aiming to allow a 3rd party to pull images from my artifact registry, I have created a service account with `artifactregistry.reader` role. I made sure that `gcr.io` states this service account with the reader role. I even double-checked that this service account has the specific "artifactregistry.repositories.downloadArtifacts" permission using the GCP Policy Analyzer.

Nevertheless, following the steps from service account key authentication, I still get the same:

`Error response from daemon: Head "https://gcr.io/v2/PROJECT_NAME/DIRECTORY/manifests/TAG": denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/PROJECT_NAME/locations/us/repositories/gcr.io" (or it may not exist)`

When attempting to pull an image from my artifacts registry.

I can't be using `gcloud` for this purpose (business considerations); only docker cli and the service account `.json` key file. The command I am executing to login is as follows:
`cat SA_JSON_KEY_PATH | docker login -u _json_key --password-stdin https://us-docker.pkg.dev`

It seems that the only thing missing for the configurations to be complete is to execute the gcloud command `gcloud auth activate-service-account --key-file=FILE_PATH`, which, again, I can't rely on. Can I somehow bypass that and still configure the docker client with the SA credentials?

Any known issues regarding that? Any tips how to overcome this?

2 3 2,120
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
robertcarlos
Staff
Reply posted on --/--/---- --:-- AM

Hi @Danieloni,

Welcome to Google Cloud Community!

Based on this documentation on Artifact Registry service account, service agent for Artifact Registry will be automatically created and the format should look like this:

service-[PROJECT-NUMBER]@gcp-sa-artifactregistry.iam.gserviceaccount.com

If you haven't seen this identifier, you could manually create the service account even if without any repositories being created:

gcloud beta services identity create \
    --service=artifactregistry.googleapis.com \
    --project=[PROJECT-ID]

This would grant the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent) and the role only has 3 minimum required permissions:

  • Publish Pub/Sub topics: pubsub.topics.publish
  • Download artifacts from Artifact Registry repositories: artifactregistry.repositories.downloadArtifacts
  • Delete artifacts: artifactregistry.versions.delete

If the aforementioned steps didn't work, you may reach out to Google Cloud support or file a bug so that our engineers could take a look at this. We don't have a specific ETA but you can keep track of its progress once the ticket has been created.

Hope this helps.

Posted on --/--/---- --:-- AM
Danieloni
Bronze 2
Bronze 2
In response to robertcarlos
Reply posted on --/--/---- --:-- AM

Thanks @robertcarlos! I appreciate your response 🙂

The thing is that I need to create a service account that has limited access, namely a service account with `Artifact Registry Reader` role, and NOTHING more. This service account is going to be used by a 3rd party outside my organization, so I need to make sure they will only be able to download images and not, e.g delete images or push to the registry (like the automatically created service agent can).

0 Likes

Posted on --/--/---- --:-- AM
Danieloni
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

This query is still relevant. Does anyone have any suggestions regarding my issue?

0 Likes
Top Solution Authors
View all