The Artifact Registry Service Agent is a Google-managed service account that acts on behalf of Artifact Registry when interacting with Google Cloud services.
When you create the first Artifact Registry repository in a Google Cloud project, the Artifact Registry Service Agent is automatically created. You can manually create the service account in a project without any repositories with the command:
gcloud beta services identity create \ --service=artifactregistry.googleapis.com \ --project=PROJECT
PROJECT with the Google Cloud project ID.
The Artifact Registry Service Agent is granted the Artifact Registry
Service Agent role (
roles/artifactregistry.serviceAgent) for resources in the
project. To enforce the security principle of least privilege, the role only
has the minimum required permissions:
- Publish Pub/Sub topics:
- Download artifacts from Artifact Registry repositories: