I have a Google Service Account (GSA) which I'm trying to use to list docker images. For example:
curl -sL https://us-central1-docker.pkg.dev/v2/_catalog --user "_json_key_base64:${GSA_KEY_B64?}"
{
"repositories" : []
}
I'd prefer if the GSA only had roles/artifactregistry.reader on a specific registry which is fine for pulling specific images, but results in an empty _catalog. I've tried:
roles/artifactregistry.reader on the specific registry --> empty resultsroles/viewer on the specific registry --> empty resultsroles/artifactregistry.reader on the entire GCP Project -> empty resultsroles/viewer on the entire GCP project -> results! (but this is too coarse IMO)I've compared artifactregistry.* permissions on the viewer role with Artifiact Registry Reader role and the only real difference I see is artifactregistry.repositories.getIamPolicy. I don't see anything specific to _catalog in the Access Control Docs.
So what's the fine-grained permission/role needed to list repos in the _catalog API?
To use the v2/_catalog API you need 2 roles :
roles/artifactregistry.reader on either the project level, or on a specific Artifact Registryroles/browser on the project level. In particular you need the permission resourcemanager.projects.get. This allows retrieving project metadata (including project-level resource listings). This permission is included in over 1000 roles out of the +/- 1700
roles available, so usually you won't run into this if a user/GSA is
assigned at least 1 project role.