Google Artifact Registry access from different projects

Question

I would like to configure Google Artifact Registry in a single GKE project in a way that all other projects could access this Centralized Artifact Registry.

In Google documentation is not clear to me how to achieve this, specially for Google Kubernetes Engine nodes using default account.

Would you know how to configure the access to achieve that scenario?

Thank you,

Answer 1

With GKE the node service account pull the image to run it on the node. Therefore, you have to grant that node service account (or the compute engine default service account if you use it) the permission to read the images in your Artifact Registry.

You have 2 level to grant the roles/artifactregistry.reader role on your service account

• Directly in the IAM page of your Artifact registry project. Like that, the service account will have access to ALL the registry that you have created in the project
• On at the registry level to grant the service account for that registry only, and disallow the others.

Here an example:

• Select your registry (checkbox on the left)
• Add principal in the permission section on the right