Container Analysis API need to be enabled wherever the Service Account is hosted

[CharmanderJieniJieni]

Our Service Account to run signer is hosted in project-a while our images are hosted in a GCR in project-b. We have given service account all required roles in project-b and enabled Container Analysis API in project-b

However, when we run the signer below is what it is complaining

main.go:191] Error waiting for vulnerability analysis it.Next: rpc error: code = PermissionDenied desc = Container Analysis API has not been used in project {project-a} before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project={project-a} then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

Why do we need to enable that in project-a as all activities happen in project-b?

[aysylu]

I think it's because the metadata (Notes and Occurrences) are created in the same project as the signer. Could you please confirm this is the case @ooq?

[ooq]

It looks like the service account in project-a was not given permission to Container Analysis in project-b. Specifically, if you go to the tutorial:

# permission to view vulnerability and attestation occurrences
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member serviceAccount:${SA_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/containeranalysis.notes.occurrences.viewer

The first PROJECT_ID here should be project-b, and the second should be project-a. Have you tried that?

[CharmanderJieniJieni]

@ooq Yes we already assigned all listed permission in project-b, however still needed to enable that api in project-a to get it work

[ooq]

@CharmanderJieniJieni You're right. Creating notes and attestations (occurrences) would require the Container Analysis API to be enabled in that project too.