Prisma Cloud Compute: GAR Scan googleapi: Error 403: Request is prohibited by organization's policy
862
Created On 07/10/23 20:14 PM - Last Modified 05/01/25 16:00 PM
Symptom
- Google Artifact Registry scans fail with an error like the below:
failed to retrieve repositories info, request: &{Tag:<region>-docker.pkg.dev/<project>/<repository>/* Spec:google-artifact-<region>-docker.pkg.dev-<project>-<repository>-* Type:1 ScanID:58 RequestDoneFn:<nil> OnDemandScan:false}. Error: googleapi: Error 403: Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: <vpcServiceControlsUniqueIdentifier>
Details:
[
{
"@type": "type.googleapis.com/google.rpc.PreconditionFailure",
"violations": [
{
"description": "<vpcServiceControlsUniqueIdentifier>",
"type": "VPC_SERVICE_CONTROLS"
}
]
},
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "googleapis.com",
"metadata": {
"consumer": "projects/<project_name>",
"service": "artifactregistry.googleapis.com",
"uid": "<vpcServiceControlsUniqueIdentifier>"
},
"reason": "SECURITY_POLICY_VIOLATED"
}
]
, forbidden
Environment
- Prisma Cloud Compute SaaS version
- Prisma Cloud Compute Self-hosted version 21.08 and above
- Google Artifact Registry (GAR)
- Registry Scan
Cause
This error occurs when a VPC Service Control denies one or more of the needed permissions included in the Artifact Registry Reader role.
Resolution
Create an exception for the service account in the VPC Service Control or the applicable organization policy.
Additional Information
- The GCP credentials (service account) need, at minimum, the Artifact Registry Reader role.
- If using an organization service account, the Google Artifact Registry scan request will attempt to discover repositories with the provided configuration in every project.
- See Scan images in Google Artifact Registry for more details.
- https://prismacloud.ideas.aha.io/ideas/PANW-I-5144