TechQA.

argocd-image-updater cannot pull image from GCP artifact registry

271 views Asked by At

I have a serviceaccount with artifactregistry.reader permission, and bonded to argocd-image-updater service account:

gcloud iam service-accounts add-iam-policy-binding [email protected] --role roles/iam.workloadIdentityUser --member "serviceAccount:XXX.svc.id.goog[argocd/argocd-image-updater]"

And annotated the argocd-image-updater:

kubectl -n argocd annotate serviceaccount argocd-image-updater iam.gke.io/gcp-service-account=argocd-gcr-secret@XXX.iam.gserviceaccount.com

And I retrieve the access token with this script:

ACCESS_TOKEN=$(wget --header 'Metadata-Flavor: Google' http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token -q -O - | grep -Eo '"access_token":.*?[^\\]",' | cut -d '"' -f 4)
echo "oauth2accesstoken:$ACCESS_TOKEN"

I can even create a pod with argocd-image-updater and log in to us-east1-docker.pkg.dev:

docker login -u oauth2accesstoken -p $ACCESS_TOKEN us-east1-docker.pkg.dev

But in argocd image updater I see this error:

time="2023-10-16T23:03:38Z" level=debug msg="Considering this image for update" alias=myimage application=my-dev1-core image_name=XXX/dev1/core image_tag=3f7282a08ec3199505eaf72ed1109b67813a44 registry=us-east1-docker.pkg.dev
time="2023-10-16T23:03:38Z" level=debug msg="Using no version constraint when looking for a new tag" alias=myimage application=my-dev1-core image_name=XXX/dev1/core image_tag=3f7282a08ec319950560eaf72ed1109b67813a44 registry=us-east1-docker.pkg.dev
time="2023-10-16T23:03:38Z" level=error msg="Could not get tags from registry: Get \"https://us-east1-docker.pkg.dev/v2/XXX/dev1/core/tags/list\": denied: Permission \"artifactregistry.repositories.downloadArtifacts\" denied on resource \"projects/XXX/locations/us-east1/repositories/dev1\" (or it may not exist)" alias=myimage application=my-dev1-core image_name=XXX/dev1/core image_tag=3f7282a08ec319950560eaf72ed1109b67813a44 registry=us-east1-docker.pkg.dev
time="2023-10-16T23:03:38Z" level=info msg="Processing results: applications=1 images_considered=1 images_skipped=0 images_updated=0 errors=1"
google-cloud-platform google-kubernetes-engine argocd google-artifact-registry workload-identity
Original Q&A
0

There are 0 answers

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-KUBERNETES-ENGINE

Related Questions in ARGOCD

Related Questions in GOOGLE-ARTIFACT-REGISTRY

Related Questions in WORKLOAD-IDENTITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions