If you have multiple Google Cloud Projects and want to pull Container Registry images from other projects, you will need to grant each project access by adding a role to the a few service accounts specific to each Project.
- For Kubernetes Engine or Compute Engine you will need to add the role to the Compute Engine default service account
- For Cloud Build you will need to add the role to the Cloud Build service account
Container Registry has no permissions of it’s own, but actually relies on permissions to the Cloud Storage bucket that is created automatically for it when you first push an image.
Confusingly this requires the use of the Project ID as opposed to the Project Name.
You have to use different names instead of container_registry two times. You have to change var.project_id to `local.project_ids.
It didn’t work at all when using google_storage_bucket_iam_member `but it worked when using google_project_iam_member. There you must not specify the bucket.