I am trying to configure my GKE cluster to pull from a private GCR repo in the same project. I am not using OAuth scopes but have associated a least privilege service account with the default node pool and provided it with the roles/storage.objectViewer permission.
However, I am still receiving the following when trying to access this image: Failed to pull image "eu.gcr.io/<project>/<image>": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
Do I also need to configure imagePullSecrets or should the roles/storage.objectViewer permission be sufficient?
The root cause of this issue was not setting access (OAuth) scopes on the cluster instances preventing the service account from working as intended.
From the GCP docs about Compute service accounts :
You must set access scopes on the instance to authorize access.
You cannot set only IAM roles on the service account and omit access scopes when creating the virtual machine instance. The level of access a service account has is determined by a combination of access scopes and IAM roles so you must configure both access scopes and IAM roles for the service account to work properly.
The minimal scopes required when accessing private images in GCR can be found here with the meaning of these scopes found here. A least privilege service account for the cluster nodes can then be created following the instructions here.
As described here an alternative would be to only grant the https://www.googleapis.com/auth/cloud-platform scope to the cluster nodes which authorises access to all Cloud Platform services and then limit access through IAM roles on node service accounts.
By configuring the cluster nodes as above, imagePullSecrets are not required for pulling private images from GCR in the same project.