I am pulling a docker image from registry.gitlab.com from within a Google Cloud Project with VPC service controls enabled. This first resulted in a PERMISSION_DENIED error: NETWORK_NOT_IN_SAME_SERVICE_PERIMETER. Which at first surprised me, but quickly made sense when I found out that registry.gitlab.com is hosted at Google and I had not yet configured an egress rule. With a bit of help from Google I learned that I need to allow access using the gitlab-object-storage-prd@gitlab-production.iam.gserviceaccount.com service account. This works perfectly, but I would like to confirm if I understand correctly how this works.
I currently assume that the docker pull request leaves my network through my default internet gateway and reaches registry.gitlab.com, which is also hosted in a Google Cloud Project. Your service notices that I am coming from another Google Cloud Project and so decides to redirect me to the Google Storage API with a signed URL like:
I am trying to understand where this gitlab-object-storage-prd@gitlab-production.iam.gserviceaccount.com service account comes into play as this is not something I have configured anywhere and the only thing I could come up with was this above explanation. It also explains why the docker daemon has no problem finding out if it needs to get a new image or it can use its already cached image, as this is a relatively cheap HEAD request that is not redirected to the Google Storage API. Is this a correct assumption?