The Artifact Registry Service Agent acts on behalf of Artifact Registry when interacting with Google Cloud services.
After you create the first Artifact Registry repository in a Google Cloud project, the Artifact Registry Service Agent is automatically created. The service agent identifier is:
service-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com
PROJECT-NUMBER is the project number of the Google Cloud project where Artifact Registry is running.
You can manually create the service account in a project without any repositories with the command:
gcloud beta services identity create \
--service=artifactregistry.googleapis.com \
--project=PROJECT-ID
Replace PROJECT-ID
with the Google Cloud project ID.
The Artifact Registry Service Agent is granted the Artifact Registry
Service Agent role (roles/artifactregistry.serviceAgent
) for resources in the
project. To enforce the security principle of least privilege, the role only
has the minimum required permissions:
- Publish Pub/Sub topics:
pubsub.topics.publish
- Download artifacts from Artifact Registry repositories:
artifactregistry.repositories.downloadArtifacts
- Delete artifacts:
artifactregistry.versions.delete
What's next
Learn about Artifact Registry roles and configuring access to repositories.