I am currently terraforming a GCP project (lets call it project B) which needs access to Docker images stored in another GCP project (project A). It looks roughly like the following:
provider "google" {
credentials = "project-B-sa.json" # authentication
}
# ---- Service Account
resource "google_service_account" "cloud_run_sa" {
account_id = "cloud-run-sa"
}
# ---- Cloud Run service
resource "google_cloud_run_service" "cloud_run_service" {
name = "cloud-run-service"
template {
spec {
containers {
image = "gcr.io/project-A/docker-image:latest"
}
service_account_name = google_service_account.cloud_run_sa.email
}
}
}
I have granted both "Storage Object Viewer" and "Storage Legacy Bucket Reader" for the whole project B service account and the Cloud Run service account, but terraform applying times out after one minute and greets me with following error message:
Error: Error waiting to create Service: resource is in failed state "Ready:False", message: Revision 'cloud-run-service-n6hzp' is not ready and cannot serve traffic. Google Cloud Run Service Agent must have permission to read the image, gcr.io/project-A/docker-image:latest. Ensure that the provided container image URL is correct and that the above account has permission to access the image. If you just enabled the Cloud Run API, the permissions might take a few minutes to propagate. Note that the image is from project [project A], which is not the same as this project [project B]. Permission must be granted to the Google Cloud Run Service Agent from this project.
How can I access the docker images stored in the bucket in project A from project B?
Project B has a hidden Service Account called "Cloud Run Service agent" with email suffix @serverless-robot-prod.iam.gserviceaccount.com. You can only see it after toggling "Include Google-provided role grants" on the top left of the IAM admin panel.
This account needs "Storage Object Viewer" on the artifacts bucket in project A.
Source: https://cloud.google.com/run/docs/deploying#other-projects