GCP Federation Identity Integration does not authorise docker image pull from a private GCP registy

Hi,

we setup gitlab.com integration with GCP. It is working fine. A gitlab job doing:

deploy:
  image: google/cloud-sdk:latest
  identity: google_cloud
  script:
    - gcloud compute instances list

end successfully. But instead using a public image we like to use an docker image from our private GCP registry. The gitlab job doing:

use-gcp-image:
  image: europe-docker.pkg.dev/newpos-internal/docker-private/docker-build:1.0.2
  identity: google_cloud
  services:
    - gcloud compute instances list

fails with:

Running with gitlab-runner 17.10.0~pre.41.g5c23fd8e (5c23fd8e)
  on blue-6.saas-linux-small-amd64.runners-manager.gitlab.com/default nN8vMRS9Z, system ID: s_a899fcd611a3
Preparing the "docker+machine" executor
00:05
Using Docker executor with image europe-docker.pkg.dev/newpos-internal/docker-private/docker-build:1.0.2 ...
Starting service europe-docker.pkg.dev/newpos-internal/docker-private/docker-build:1.0.2...
Pulling docker image europe-docker.pkg.dev/newpos-internal/docker-private/docker-build:1.0.2 ...
WARNING: Failed to pull image with policy "always": Error response from daemon: Head "https://europe-docker.pkg.dev/v2/newpos-internal/docker-private/docker-build/manifests/1.0.2": denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/newpos-internal/locations/europe/repositories/docker-private" (or it may not exist) (manager.go:254:1s)
ERROR: Job failed: failed to pull image "europe-docker.pkg.dev/newpos-internal/docker-private/docker-build:1.0.2" with specified policies [always]: Error response from daemon: Head "https://europe-docker.pkg.dev/v2/newpos-internal/docker-private/docker-build/manifests/1.0.2": denied: Unauthenticated request. Unauthenticated requests do not have permission "artifactregistry.repositories.downloadArtifacts" on resource "projects/newpos-internal/locations/europe/repositories/docker-private" (or it may not exist) (manager.go:254:1s)

The denied: Unauthenticated request hints that an auth token is not added at all and it is not just lacking permissions.

I believe that this should work, but I cannot find documentation about it.

  • Should this work and if so is there documentation about it?
  • If not is then the easiest way to use gitlab docker registry instead?

Best Regards Markus Meyer

Edited by 🤖 GitLab Bot 🤖