Artifact Registry Service Agent

The Artifact Registry Service Agent acts on behalf of Artifact Registry when interacting with Google Cloud services.

After you create the first Artifact Registry repository in a Google Cloud project, the Artifact Registry Service Agent is automatically created. The service agent identifier is:

service-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com

PROJECT-NUMBER is the project number of the Google Cloud project where Artifact Registry is running.

You can manually create the service account in a project without any repositories with the command:

gcloud beta services identity create \
    --service=artifactregistry.googleapis.com \
    --project=PROJECT-ID

Replace PROJECT-ID with the Google Cloud project ID.

The Artifact Registry Service Agent is granted the Artifact Registry Service Agent role (roles/artifactregistry.serviceAgent) for resources in the project. To enforce the security principle of least privilege, the role only has the minimum required permissions:

  • Publish Pub/Sub topics: pubsub.topics.publish
  • Download artifacts from Artifact Registry repositories: artifactregistry.repositories.downloadArtifacts
  • Delete artifacts: artifactregistry.versions.delete

What's next

Learn about Artifact Registry roles and configuring access to repositories.