Artifact Registry service account

The Artifact Registry Service Agent is a Google-managed service account that acts on behalf of Artifact Registry when interacting with Google Cloud services. When you enable the Artifact Registry API for a Google Cloud project, the Artifact Registry Service Agent is automatically created in the project and is granted the Artifact Registry Service Account role (roles/artifactregistry.serviceAgent) for the resources in the project.

To enforce the security principle of least privilege, the Artifact Registry Service Agent role only has the minimum required permissions:

  • Publish Pub/Sub topics: pubsub.topics.publish
  • Download artifacts from Artifact Registry repositories: artifactregistry.repositories.downloadArtifacts

What's next

Learn about Artifact Registry roles and configuring access to repositories.