google cloud platform – What IAM role is required for using the Docker Registry _catalog v2 API with GCP Artifact Registry?

I have a Google Service Account (GSA) which I’m trying to use to list docker images. For example:

curl -sL https://us-central1-docker.pkg.dev/v2/_catalog --user "_json_key_base64:${GSA_KEY_B64?}"

{
   "repositories" : []
}

I’d prefer if the GSA only had roles/artifactregistry.reader on a specific registry which is fine for pulling specific images, but results in an empty _catalog. I’ve tried:

  • roles/artifactregistry.reader on the specific registry –> empty results
  • roles/viewer on the specific registry –> empty results
  • roles/artifactregistry.reader on the entire GCP Project -> empty results
  • roles/viewer on the entire GCP project -> results! (but this is too coarse IMO)

I’ve compared artifactregistry.* permissions on the viewer role with Artifiact Registry Reader role and the only real difference I see is artifactregistry.repositories.getIamPolicy. I don’t see anything specific to _catalog in the Access Control Docs.

So what’s the fine-grained permission/role needed to list repos in the _catalog API?

Read more here: Source link