Working with docker images in container/artifact registry
I am having trouble giving another Terra user access to a private Docker container in Google Container Registry (GCR). I have successfully pushed to and used a Docker image in Google Container Registry (GCR) following these instructions. But I am the only one who can access that container without making it public. When I create a new Terra group as suggested in the instructions, the resulting `firecloud.org` address is not recognized as a valid "principle" for granting permissions. Adding the new user to an existing Terra group that already has access to the relevant Cloud Storage bucket doesn't give that new Terra user access to pull the image when running a workflow.
- Is there something I can/should check to make sure everything is configured correctly?
- Is there a different approach recommended for giving others access to private containers?
The motivating concern is egress charges and unfortunately implementing the suggestions with perimeters will be much trickier due to needing to involve my campus IT. Thanks!
Comments
5 comments
Hi Michael,
Thanks for writing in! Adding a Terra group to a private container is the recommended approach for giving users access so I'd like to get to the bottom of why this isn't working. Can you send a screenshot of the error you're seeing stating that the address is not a valid principle?
Additionally, are other users in the existing Terra group you mentioned able to pull the image successfully? Is the user able to pull the image if you add their individual email to the bucket?
Kind regards,
Pamela
Thanks Pamela! I tried again yesterday and was able to add the newer group (firecloud.org address) as a principle and give it read permissions. And the person in question has been able to pull the image after removing public access to the bucket. So that is working as expected/intended!
Is there a delay between creating a group in Terra and being able to use that group for GCP permissions? I had previously unsuccessfully waited overnight (i.e., tried again in the morning), but perhaps that is not long enough? To try it out, I just created a new group and am unable to use that group as a principle (screenshots from the cloud storage console and the Terra groups interface below). Is there a known amount of time it might take? Or is there a way to explicitly synchronize the two systems?
To answer your other questions: There is just the two of us, so no one else has been given access or tried to pull the image (and we don't have other potential testers). It did not work to add the individual e-mail to the bucket.
Hi Michael,
I'm glad to hear the original issue is now resolved! This is definitely strange that there appears to be a delay after creating the Terra group as this isn't something we have previously received reports of. My best guess would be that this is a result of the Google permission propagation delays documented in this known issues post. This is an issue where Google can take a while to synchronize permissions with Terra. Unfortunately, the length of time it takes for this to resolve can vary a good bit, so I can't provide a perfect estimate of how long it should take. How long would you say it took for the previous group to be added successfully?
Kind regards,
Pamela
Thanks for the info. Unfortunately I don't have a very precise estimate of the time before the new group was recognized. I would say more than a few hours (we tried again the next morning), but less than a few days.
Hi Michael,
Thanks for letting me know. As we have not received previous reports of this issue, I am unable to provide a guideline on how long this should take. Please let me know if you experience this issue again and I can have our engineers look further into why it may be happening.
Kind regards,
Pamela
Please sign in to leave a comment.