Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Access GCP Docker image from different project

Tags:

docker

google-cloud-platform

app-engine-flexible

I have two GCP projects. projectA contains an artifact registry where I store my docker images, projectB is where I want to use such an image to deploy it with app-engine (flexible).

Here's how my command looks like:

gcloud app deploy --project=projectB --version=test1 --image-url="asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest"

It fails like this:

ERROR: (gcloud.app.deploy) Error Response: [7] The App Engine appspot and App Engine flexible environment service accounts must have permissions on the image [asia-northeast1-docker.pkg.dev/projectA/default/my-image:latest]. Please check that the App Engine default service account has the [Storage Object Viewer] role and the App Engine Flexible service account has the App Engine Flexible Environment Service Agent role

I ensured that the App Engine default service account has the Storage Object Viewer role (in both projects), however I cannot find an App Engine Flexible service account anywhere.

like image 599
valenterry Avatar asked Oct 23 '25 17:10

valenterry

2 Answers

On Google Cloud, you have 2 container registry product: Container registry and artifact registry.

When you use Container Registry, the legacy one, the Kunal answer is correct, you need to grant the service account as Storage Object Viewer on your project.

However, a major evolution of the new registry Artifact Registry, is the IAM compatibility. This time you can grant, not a project scope (even if you can, but I don't recommend it), but at registry scope. And you have an IAM role dedicated to that.

Go to Artifact Registry, select it (check box on the left) and go to the permission panel on the right hand side enter image description here

Click on add member, add your service account and select the correct role, here artifact reader is enough enter image description here

(it also works if you grant your service account at project scope of course, with the same role)

EDIT 1

You can grant this role at project level also enter image description here

like image 163
guillaume blaquiere Avatar answered Oct 26 '25 06:10

guillaume blaquiere

You will need to make sure that App Engine default service account of projectB has access to gcs bucket in projectA.

You should go to projectA to "IAM" (not "Service Accounts"), There you will be able to add the email address of App Engine default service account from projectB.

like image 23
Kunal Deo Avatar answered Oct 26 '25 07:10

Kunal Deo
Sign in to Comment

Related questions

Pulling an Image from Private Registry in Kubernetes cronjob fails
Ho to write logs in Docker container
Laravel 9 Sail error service "laravel.test" is not running container
ping works but not curl in docker container
how to fix the maven surefire plugin error [there was error in the forked process]?
Running docker containers with .net6
Connect to database in docker container on remote host with pgadmin3
Deploying Azure container s without running them
Expose log file outside docker container
Git sh.exe & Docker run (no such file or directory)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!