Artifact Registry service account

Stay organized with collections Save and categorize content based on your preferences.

The Artifact Registry Service Agent is a Google-managed service account that acts on behalf of Artifact Registry when interacting with Google Cloud services.

When you create the first Artifact Registry repository in a Google Cloud project, the Artifact Registry Service Agent is automatically created. You can manually create the service account in a project without any repositories with the command:

gcloud beta services identity create \
    --service=artifactregistry.googleapis.com \
    --project=PROJECT

Replace PROJECT with the Google Cloud project ID.

The Artifact Registry Service Agent is granted the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent) for resources in the project. To enforce the security principle of least privilege, the role only has the minimum required permissions:

  • Publish Pub/Sub topics: pubsub.topics.publish
  • Download artifacts from Artifact Registry repositories: artifactregistry.repositories.downloadArtifacts
  • Delete artifacts: artifactregistry.versions.delete

What's next

Learn about Artifact Registry roles and configuring access to repositories.