How can a GKE cluster pull container images from a Container Registry hosted in another project?
I have a GKE cluster in project <reader-project> trying to access a GCR image in project <registry-project>.
I've tried adding the GCE service account email for <reader-project> as a User with Reader access on the storage bucket in <registry-project>, but I'm still getting the error:
<Error><Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>Caller does not have storage.objects.get access to object us.artifacts.<registry-project>.appspot.com/containers/images/sha256:<tag>.
</Details></Error>Look at the IAM permissions of the project under which you have your GKE and you will see a user similar to: 123456789-compute@developer.gserviceaccount.com.
Then in your container registry project, grant that user the Storage Object Viewer permission. Your GKE will then be allowed to pull images from th
Can you run the following commands to check the permissions for both buckets:
gsutil acl get gs://us.artifacts..appspot.com
gsutil acl get gs://artifacts..appspot.com
artifacts..appspot.com is the default bucket. When you add the service account as Storage Object Viewer, read-only permission of the default bucket is granted.
Here is the link about gsutil tool: https://cloud.google.com/storage/docs/gsutil/commands/acl
Try to add GCE service account email as a User with Storage Object Viewer role. It gives the service account Read-Only access to GCS objects(container images) in your project.