google cloud platform – What IAM role is required for using the Docker Registry _catalog v2 API with GCP Artifact Registry?
I have a Google Service Account (GSA) which I’m trying to use to list docker images. For example:
curl -sL https://us-central1-docker.pkg.dev/v2/_catalog --user "_json_key_base64:${GSA_KEY_B64?}"
{
"repositories" : []
}
I’d prefer if the GSA only had roles/artifactregistry.reader
on a specific registry which is fine for pulling specific images, but results in an empty _catalog. I’ve tried:
roles/artifactregistry.reader
on the specific registry –> empty resultsroles/viewer
on the specific registry –> empty resultsroles/artifactregistry.reader
on the entire GCP Project -> empty resultsroles/viewer
on the entire GCP project -> results! (but this is too coarse IMO)
I’ve compared artifactregistry.* permissions on the viewer role with Artifiact Registry Reader role and the only real difference I see is artifactregistry.repositories.getIamPolicy
. I don’t see anything specific to _catalog
in the Access Control Docs.
So what’s the fine-grained permission/role needed to list repos in the _catalog
API?
Read more here: Source link