Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the minimum permissions/role for a service account required to read/write to Google Container Registry?

Tags:

google-cloud-platform

google-container-registry

drone.io

I am trying to create a service role for a drone instance which builds and pushed a docker image to Google Container Registry.

It works with the role project>owner (presumably project>editor would work too). I have not been able to find a way to restrict it only to have permission to push to GCR, or find out what the minimal permissions are.

Service account roles

like image 662
Stan Bondi Avatar asked Sep 28 '16 08:09

Stan Bondi

People also ask

What are the roles required to read access for container registry?

You must grant the service account with IAM permissions to access the storage bucket used by Container Registry. The service account must have the cloud-platform scope. This scope grants permissions to push and pull images, as well as run gcloud commands.

Which of the below permissions are necessary in order to use the Google Cloud console?

The following page discusses the Identity and Access Management (IAM) permissions required to perform actions within the Cloud Storage portion of the Google Cloud console. IAM permissions are bundled together to make roles, and you grant roles to users and groups.

Which basic permissions allows you to change access permissions on resources in GCP?

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

1 Answers

There is no permission to only allow it to push to GCR. The minimum permission to allow push is "Storage Object Creator". And this permission also allows the user to write to Google Cloud Storage, as suggested by the role's name.

Update: The correct minimum permission (IAM role) to allow push is "Storage Admin" based on current implementation.

like image 57
Wei Avatar answered Sep 21 '22 20:09

Wei
Sign in to Comment

Related questions

Link Facebook to Firebase Anonymous Auth without calling Facebook API
I am able to add composite indexes to index.yaml file and get it to work without removing and reloading the data from datastore
FCMMessagingService in clean architecture?
Add on touch listener for Firebase RecyclerView
Firebase retrieve all data on app start
Terminate google cloud compute engine instance with shell/bash script
How can I log to Google Cloud Logging from an AngularJS application?
How to alert on the Kubernetes Cluster health?
(setValue:) Cannot store object of type _SwiftValue at pictureURL. Can only store objects of type NSNumber, NSString, NSDictionary, and NSArray
Build runs but archive fails when referencing Firebase in multiple targets with CocoaPods
java.lang.RuntimeException: Unable to instantiate activity in Flutter
firebase function with realtime database error
Firebase Firestore toObject fails on Boolean property mapping
What is the difference between a realtime database and a "normal" database?
Issuing certificate as Secret does not exist
There is no API Console project with the id specified in the manifest's api_console_project_id field
FieldValue arrayUnion and Cloud FireStore with Flutter
Firebase App Distribution - "Waiting for developer" message
taskSnapshot.getDownloadUrl() method not working
ERROR: (gcloud.compute.ssh) Could not fetch resource: - Insufficient Permission

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!