需要为服务帐户授权以便在谷歌容器注册表中访问所需的镜像。以下是一个示例命令，可以在部署前为服务帐户授予必要的权限（需要先替换"[PROJECT_ID]"和"[IMAGE]"为实际的项目ID和镜像名称）：

gcloud projects add-iam-policy-binding [PROJECT_ID] --member serviceAccount:[PROJECT_ID]@appspot.gserviceaccount.com --role roles/storage.objectViewer

gcloud projects add-iam-policy-binding [PROJECT_ID] --member serviceAccount:[PROJECT_ID]@appspot.gserviceaccount.com --role roles/storage.objectCreator

gcloud beta iam service-accounts add-iam-policy-binding [PROJECT_ID]@appspot.gserviceaccount.com --member serviceAccount:[PROJECT_ID]@appspot.gserviceaccount.com --role roles/iam.serviceAccountUser

gcloud beta auth configure-docker

docker pull gcr.io/[PROJECT_ID]/[IMAGE]:[VERSION]

docker tag gcr.io/[PROJECT_ID]/[IMAGE]:[VERSION] [HOSTNAME]/[PROJECT_ID]/[IMAGE]:[VERSION]

gcloud docker -- push [HOSTNAME]/[PROJECT_ID]/[IMAGE]:[VERSION]

上述代码将给服务帐户添加了对存储桶的访问权限，并授予了“iam.serviceAccountUser”角色。然后，使用Docker镜像重新标记，并将其推送到Google容器注册表中。这样，在部署应用程序时，镜像就可以被访问并成功部署。