Closed biswalc closed 1 day ago
gcrane
should pick up default credentials from wherever you're running it...
Is that service account your ADC wherever you're invoking gcrane
? I.e. you have impersonated via:
gcloud auth application-default login --impersonate-service-account $ACCOUNT
Also would be curious to see if both of these fail or only one:
gcrane ls us.gcr.io/my-project/my-analysis
gcrane ls us-docker.pkg.dev/my-project/my-analysis/my-analysis
This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.
Describe the bug
Following the guide from https://cloud.google.com/artifact-registry/docs/docker/copy-from-gcr
I attempted to transfer the images from GCR to GAR using
gcrane
and it failed.Permissions: The service account(biswal-actions-sa) used to do the operation has both the below permissions:
Also the Google managed service account('serviceAccount:service-123456789@gcp-sa-artifactregistry.iam.gserviceaccount.com') has the permissions
gcloud auth list
shows the desirable active SA:Copy command executed:
This generates the error:
When I do the following steps they work out fine:
Google Support mentioned trying the execution in Gcloud Shell, and I faced the same issue there.
To Reproduce
Expected behavior
gcrane
should process the source, and the Artifact Registry should be able to import the image layers without having to download them to the bastion machine wheregcrane
is running.Additional context
Add any other context about the problem here.
Output of
crane version
Registry used (e.g., GCR, ECR, Quay) From GCR to GAR