Create Service Connection from Azure DevOps to GCP Artifact Registry

Question

Is there have any tutorials for creating a service account to GCP Artifact Registry?

i have tried this: https://cloud.google.com/architecture/creating-cicd-pipeline-vsts-kubernetes-engine ... but it is using GCP Container Registry

I do not imagine it should be much different but i keep on getting this:

##[error]denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource

BUT the service account i created has the permissions needed (albeit those roles are in beta). i even gave it a very elevated role and still getting this.

when i created the service connect i followed these steps from the documentation linked above:

• Docker Registry: https://gcr.io/PROJECT_ID, replacing PROJECT_ID with the name of your project (for example, https://gcr.io/azure-pipelines-test-project-12345).
• Docker ID: _json_key
• Password: Paste the content of azure-pipelines-publisher-oneline.json.
• Service connection name: gcr-tutorial

Any advice on this would be appreciated.

Answer 1

I was having the same issue. As @Mexicoder points out the service account needs the ArtifactRegistryWriter permission. In addition, the following wasn't clear to me initially:

• The service connection needs to be in the format: https://REGION-docker.pkg.dev/PROJECT-ID (where region is something like 'us-west2')
• The repository parameter to the Docker task (Docker@2) needs to be in the form: PROJECT-ID/REPO/IMAGE