Work with container images

Artifact Registry can store Docker and OCI container images in a Docker repository.

To get familiar with container images in Artifact Registry, you can try the quickstart.

When you are ready to learn more, read the following information:

• Create a Docker repository for your images.
• Grant permissions to the account that will connect with the repository.
  • The default service account for Compute Engine has permissions to pull from Artifact Registry repositories in the same Google Cloud project unless you have disabled automatic role granting to default service accounts. The Compute Engine service account is also the default GKE node service account and the default Cloud Run service account.
  • The Cloud Build default service account has permissions to push to and pull from Artifact Registry repositories in the same Google Cloud project unless you have disabled automatic role granting to default service accounts.
• If you are using a Docker client to push and pull images, configure authentication to Artifact Registry.
• Learn about pushing and pulling images.
• Learn about managing images.

• Learn how to manage container metadata with attachments. Attachments are OCI artifacts that hold metadata about another container image.

  Metadata can be any relevant information you want to store that is related to a container image, including files you can scan or generate with Artifact Analysis:

  • Software bill of materials (SBOM)
  • Vulnerability scan results
  • Other metadata such as build provenance

• Set up Pub/Sub notifications for changes to your repository.
• Set up Artifact Analysis to manage image metadata and scan for vulnerabilities.