GCP: Container Repository replication fails in Geo due to permission denied
- GET version:
main
- Cloud Provider: GCP
- Environment configuration: 3k CNH + 3k CNH
3k CNH + 3k CNH Geo setup is failing with Container Registry Replication:
irb(main):011:0> Geo::ContainerRepositorySync.new(container_repository).execute
/srv/gitlab/ee/lib/ee/container_registry/client.rb:77:in 'get_upload_url':
Get upload URL error: {"errors"=>[{"code"=>"UNKNOWN", "message"=>"unknown error",
"detail"=>{"DriverName"=>"gcs", "Enclosed"=>{"code"=>403, "message"=>"glsec-gke-supporting@<redacted>.iam.gserviceaccount.com
does not have storage.objects.create access to the Google Cloud Storage object.
Permission 'storage.objects.create' denied on resource (or it may not exist).", "details"=>nil,
"Body"=>"{\"error\":{\"code\":403,\"message\":\"glsec-gke-supporting@<redacted>.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).\",\"errors\":[{\"message\":\"glsec-gke-supporting@<redacted>.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist).\",\"domain\":\"global\",\"reason\":\"forbidden\"}]}}", "Header"=>{"Cache-Control"=>["no-cache, no-store, max-age=0, must-revalidate"], "Content-Length"=>["564"], "Content-Type"=>["text/html; charset=UTF-8"], "Date"=>["Wed, 01 Nov 2023 18:28:37 GMT"], "Expires"=>["Mon, 01 Jan 1990 00:00:00 GMT"], "Pragma"=>["no-cache"], "Server"=>["UploadServer"], "Vary"=>["Origin", "X-Origin"], "X-Guploader-Uploadid"=>["----"]}, "Errors"=>[{"reason"=>"forbidden", "message"=>"glsec-gke-supporting@<redacted>.iam.gserviceaccount.com does not have storage.objects.create access to the Google Cloud Storage object. Permission 'storage.objects.create' denied on resource (or it may not exist)."}]}}}]} (EE::ContainerRegistry::Client::Error)
irb(main):012:0>
Edited by Nailia Iskhakova