Push (RW) access requires the roles/storage.admin (Storage Admin) role, which provides the following permissions: (storage).buckets.create, buckets.delete, buckets.get, buckets.list, buckets.update, objects.create, objects.delete, objects.get, objects.list, objects.update.
Pull (RO) access requires the roles/storage.objectViewer (Storage Object Viewer) role, which provides the following permissions: storage.objects.get and storage.objects.list.
# List your projects to get PROJECT_ID.
gcloud projects list
# Setup environment for convenience.
export PROJECT_ID="my-project-id"
export KEY_NAME="rw-key-name"
export KEY_DISPLAY_NAME="My RW Key Name"
# Create a new service account.
gcloud iam service-accounts create "${KEY_NAME}" \
--display-name "${KEY_DISPLAY_NAME}"
# List service accounts to confirm creation (optional).
gcloud iam service-accounts list
# Create a new key for the service account.
gcloud iam service-accounts keys create \
--iam-account "$KEY_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
rw-key.json
# Grant service account push (RW) access with roles/storage.admin role.
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
--member "serviceAccount:$KEY_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
--role "roles/storage.admin"
# Build and push your Docker image.
docker build . -t eu.gcr.io/$PROJECT_ID/my-image-name
docker login -u _json_key -p "$(cat rw-key.json)" https://eu.gcr.io
docker push eu.gcr.io/$PROJECT_ID/my-image-name