This page shows you how to give Binary Authorization access to policies and container images that exist in different Google Cloud projects than your current project. For example, if you deploy images in your Google Kubernetes Engine (GKE) cluster from an Artifact Registry or Container Registry (Deprecated) repository that's owned by a different project, you'll need to give the Binary Authorization service in your project access to the image metadata in the source repository.
Terminology
This document uses the following terms:
- Service agent: A Google Cloud-managed service account. Binary Authorization uses a service agent to interact with your Google Cloud resources, like GKE clusters.
- Policy project: The Google Cloud project that contains your Binary Authorization policy.
- Cluster project: The Google Cloud project that contains your GKE cluster.
- Artifact project: The Google Cloud project that contains your Artifact Registry or Container Registry (Deprecated) repository.
Scenarios that require cross-project access
You must grant cross-project permissions in situations like the following:
- Your policy project is different than your cluster project.
- Your cluster project is different than your artifact project.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Binary Authorization API:
gcloud services enable binaryauthorization.googleapis.com
-
Install the Google Cloud CLI.
-
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Binary Authorization API:
gcloud services enable binaryauthorization.googleapis.com
Cluster project different than the policy project
Grant the Binary Authorization service agent in the cluster project the
Binary Authorization Policy Evaluator
(roles/binaryauthorization.policyEvaluator)
role on the policy project.
gcloud projects add-iam-policy-bindingPOLICY_PROJECT_ID\ --member="serviceAccount:service-$(gcloud projects describeCLUSTER_PROJECT_ID--format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \ --role=roles/binaryauthorization.policyEvaluator
Replace the following:
POLICY_PROJECT_ID: the ID of the project that contains your policy.CLUSTER_PROJECT_ID: the project ID of the cluster.
Cluster project different than the artifact project
Grant the Binary Authorization service agent in the cluster project the
Artifact Registry Reader
(roles/artifactregistry.reader) role on the artifact project.
gcloud projects add-iam-policy-bindingARTIFACT_PROJECT_ID\ --member="serviceAccount:service-$(gcloud projects describeCLUSTER_PROJECT_ID--format='value(projectNumber)')@gcp-sa-binaryauthorization.iam.gserviceaccount.com" \ --role=roles/artifactregistry.reader
Replace the following:
ARTIFACT_PROJECT_ID: the ID of the project that contains your Artifact Registry repository.CLUSTER_PROJECT_ID: the project ID that runs your GKE clusters.