GCP Cloud Run Cannot Pull Image from Artifact Registry in Other Project

0 votes

I have a parent project with a docker-configured artifact registry.

A cloud-based service that runs as part of a child project has to get its image from the parent.

A service account attached to the child project has IAM role roles/artifact registry. writer permission to access the repository.

I receive the following problem when I attempt to launch my service:

To read the image, Google Cloud Run Service Agent has to have permission. 

europe-west1-docker.pkg.dev/test-parent-project/docker-webank-private/node:custom-1. 

Verify that the container image URL provided is accurate and that the aforementioned account has the authorization to access the image. 

It can take a while for the rights to spread if you just enabled the Cloud Run API.

cat $GOOGLE_APPLICATION_CREDENTIALS | docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev
> Login succeeded
docker pull europe-west1-docker.pkg.dev/bfb-cicd-inno0/docker-webank-private/node:custom-1
> OK


image
Nov 10 in GCP by Tejashwini
• 2,860 points
87 views

1 answer to this question.

0 votes

In Cloud Run, there are two different sorts of service accounts:

The service account for the Google Cloud Run API
The service account for Runtime.
You refer to the runtime service account, the identity that will be used by the service when it runs and calls Google Cloud API, in your description and screenshot.

The service must first be deployed though, before it can run. This time, an internal Google Cloud Run process was launched to pull the container, produce a revision, and do all necessary internal tasks. A service account called "service agent" also exists to carry out that task.

You may locate it in the IAM console at: The structure is as follows

service-@serverless-robot-prod.iam.gserviceaccount.com
Don't forget to select Include in the checkbox in the top right corner.

enter image description here

Give the appropriate access to the deployment service account and not the runtime service account if you want it to be able to pull images from another project.

answered Nov 10 by Ashwini
• 2,760 points

Related Questions In GCP

+2 votes
1 answer

How to create a project in GCP Cloud?

Hi@akhtar, To deploy your app on App Engine, ...READ MORE

answered Aug 23, 2020 in GCP by MD
• 95,380 points
291 views
+2 votes
1 answer

How to create a project from GCP Cloud Shell?

Hi@akhtar, GCP shell has a command named gcloud. ...READ MORE

answered Aug 23, 2020 in GCP by MD
• 95,380 points
864 views
+2 votes
1 answer

How to enable new services to a project in GCP Cloud?

Hi@akhtar, You can enable new services to your ...READ MORE

answered Aug 23, 2020 in GCP by MD
• 95,380 points
435 views
+2 votes
1 answer
+2 votes
1 answer

Deploy Docker Containers from Docker Cloud

To solve this problem, I followed advice ...READ MORE

answered Sep 3, 2018 in AWS by Priyaj
• 58,100 points
1,855 views
0 votes
1 answer

In GCP share a VPN gateway with other projects

You must consider the following factors: Cost: It ...READ MORE

answered Nov 8 in GCP by Ashwini
• 2,760 points
41 views
0 votes
1 answer

In GCP, how to list all the resources running under project?

For a specific organization, folder, or project, ...READ MORE

answered Nov 10 in GCP by Ashwini
• 2,760 points
71 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP