我正在尝试pushDocker映像到谷歌工件注册表(GAR),同时模拟服务帐户($SERV_ACCT_EMAIL):
denied: Permission " artifacregistry . repository . downloadartifacts "拒绝在资源"projects/$GCP_PROJECT_ID/locations/us-west1/repositories/$GAR_REPOSITORY"(也可能不存在)
$SERV_ACCT_EMAIL具有工件注册表写入器(roles/artifactregistry.writer)和工件注册表读取器(roles/artifactregistry.reader)角色;后者的权限为artifactregistry.repositories.downloadArtifacts。因此,如果资源被授予$SERV_ACCT_EMAIL的访问权限,我相信我确实能够push那些工件。
如何在模拟$SERV_ACCT_EMAIL时将push转换为GAR ?
在模拟您的服务帐户($SERVICE_ACCOUNT_EMAIL)时可能需要configure-docker:
-
检查以确保您仍在模拟
$SERVICE_ACCOUNT_EMAIL:gcloud auth list #=> Credentialed Accounts ACTIVE ACCOUNT . . . * $SERVICE_ACCOUNT_EMAIL . . .如果没有:
gcloud auth activate-service-account "$SERVICE_ACCOUNT_EMAIL" --key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH #=> Activated service account credentials for: [$SERVICE_ACCOUNT_EMAIL] -
对
auth组运行configure-docker命令:gcloud auth configure-docker us-west1-docker.pkg.dev #=> . . . Adding credentials for: us-west1-docker.pkg.dev . . . -
最后,再次尝试
push加载Docker镜像。