I'm trying to create a minimal custom role to delete artifacts from Google Artifact Registry for my ServiceAccount. The gcloud command deletes the artifact successfully, but then always fails with PERMISSION_DENIED on the project.locations.operations request. How do I get my ServiceAccount the project.locations.operations.get permission?
The custom role has the following permissions:
artifactregistry.versions.delete,
artifactregistry.tags.get,
artifactregistry.tags.list,
artifactregistry.tags.delete,
artifactregistry.repositories.get,
This successfully deletes the image via gcloud, but the command always fails on the last sent request:
Delete request issued.
Waiting for operation [projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345] to complete...⠶=======================
==== request start ====
uri: https://artifactregistry.googleapis.com/v1/projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345?alt=json
method: GET
== headers start ==
b'accept': b'application/json'
b'accept-encoding': b'gzip, deflate'
Waiting for operation [projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345] to complete...⠧b'authorization': --- Token Redacted ---
b'content-length': b'0'
b'user-agent': b'google-cloud-sdk gcloud/470.0.0 command/gcloud.artifacts.docker.images.delete invocation-id/12345123451234512345 environment/None environment-version/None client-os/MYOS client-os-ver/OSVERSION client-pltf-arch/MYARCH interactive/True from-script/False python/3.11.4 term/xterm-256color (MYOS OSVERSION)'
b'x-allowed-locations': b'0x0'
b'x-goog-api-client': b'cred-type/sa'
== headers end ==
== body start ==
== body end ==
==== request end ====
Waiting for operation [projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345] to complete...⠏---- response start ----
status: 403
-- headers start --
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: private
Content-Encoding: gzip
Content-Type: application/json; charset=UTF-8
Date: Fri, 02 Aug 2024 16:00:41 GMT
Server: ESF
Transfer-Encoding: chunked
Vary: Origin, X-Origin, Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
-- headers end --
-- body start --
{
"error": {
"code": 403,
"message": "Permission denied on operation projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345 (or it may not exist)",
"status": "PERMISSION_DENIED"
}
}
-- body end --
total round trip time (request+response): 0.248 secs
---- response end ----
----------------------
Waiting for operation [projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345] to complete...failed.
ERROR: (gcloud.artifacts.docker.images.delete) PERMISSION_DENIED: Permission denied on operation projects/MYPROJ/locations/MYLOC/operations/12345-12345-12345-12345 (or it may not exist)
How do I grant my ServiceAccount the projects.locations.operations.get permission?
The missing permission was artifactregistry.versions.get.
So the final custom role has these permissions:
artifactregistry.repositories.get
artifactregistry.tags.delete
artifactregistry.tags.get
artifactregistry.tags.list
artifactregistry.versions.delete
artifactregistry.versions.get