Hello community!
Aiming to allow a 3rd party to pull images from my artifact registry, I have created a service account with artifactregistry.reader role. I made sure that gcr.io states this service account with the reader role. I even double-checked that this service account has the specific “artifactregistry.repositories.downloadArtifacts” permission using the GCP Policy Analyzer.
Nevertheless, following the steps from service account key authentication, I still get the same:
Error response from daemon: Head "[https://gcr.io/v2/PROJECT_NAME/DIRECTORY/manifests/TAG](https://gcr.io/v2/PROJECT_NAME/DIRECTORY/manifests/TAG)": denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/PROJECT_NAME/locations/us/repositories/gcr.io" (or it may not exist)
When attempting to pull an image from my artifacts registry.
I can’t be using gcloud for this purpose (business considerations); only docker cli and the service account .json key file. The command I am executing to login is as follows:
cat SA_JSON_KEY_PATH | docker login -u _json_key --password-stdin [https://us-docker.pkg.dev](https://us-docker.pkg.dev`/)
It seems that the only thing missing for the configurations to be complete is to execute the gcloud command gcloud auth activate-service-account --key-file=FILE_PATH, which, again, I can’t rely on. Can I somehow bypass that and still configure the docker client with the SA credentials?
Any known issues regarding that? Any tips how to overcome this?
2 Likes
Hi @Danieloni ,
Welcome to Google Cloud Community!
Based on this documentation on Artifact Registry service account, service agent for Artifact Registry will be automatically created and the format should look like this:
service-[@gcp-sa-artifactregistry.iam.gserviceaccount.com
If you haven’t seen this identifier, you could manually create the service account even if without any repositories being created:
gcloud beta services identity create \
--service=artifactregistry.googleapis.com \
--project=[PROJECT-ID]
This would grant the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent) and the role only has 3 minimum required permissions:
- Publish Pub/Sub topics:
pubsub.topics.publish
- Download artifacts from Artifact Registry repositories:
artifactregistry.repositories.downloadArtifacts
- Delete artifacts:
artifactregistry.versions.delete
If the aforementioned steps didn’t work, you may reach out to Google Cloud support or file a bug so that our engineers could take a look at this. We don’t have a specific ETA but you can keep track of its progress once the ticket has been created.
Hope this helps.
2 Likes
Thanks @robertcarlos ! I appreciate your response 
The thing is that I need to create a service account that has limited access, namely a service account with Artifact Registry Reader role, and NOTHING more. This service account is going to be used by a 3rd party outside my organization, so I need to make sure they will only be able to download images and not, e.g delete images or push to the registry (like the automatically created service agent can).
This query is still relevant. Does anyone have any suggestions regarding my issue?
1 Like