Compute Engine can pull containers directly from Artifact Registry repositories.
Required permissions
By default, the Compute Engine
service account
has Editor permission for resources in the same project and the read-only
access scope for Cloud Storage
storage buckets.
While the Editor permissions generally grants write access, the read-only
access scope limits the VM instance service account to downloading artifacts
from repositories in the same project.
You must configure the appropriate permissions and access scopes yourself if you have other requirements. For example:
- You want the VM instance to upload to repositories. In this case, you must
configure an access scope
with write access to storage:
read-write
,cloud-platform
, orfull-control
. - The VM instance is in a different project than the repositories that you want to access. In the project with the repositories, grant the required permissions to the instance's service account.
- The repositories are in the same project, but you do not want the default service account to have the same level of access across all repositories. In this case, you must grant the appropriate permissions at the repository level and revoke the Artifact Registry permissions at the project level.
- The VM is associated with a custom service account. Ensure that the service account has the required permissions and access scope.
- You are using custom roles to grant permissions and the custom role does not include the required Artifact Registry permissions. Add the required permissions to the role.