Using Artifact Registry in Google Cloud

This page summarizes general requirements for using Artifact Registry with other Google Cloud services.

There are two forms of access control to consider for connections with Artifact Registry repositories.

IAM permissions
Identity and Access Management permissions determine the users, service accounts and other identities that can access resources. You grant Artifact Registry permissions to identities that can access repositories.
Access scopes
Access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on a VM instance. As a result, access scopes can further limit access to API methods when authenticating with application default credentials.

Service accounts for Google Cloud products that typically push or pull images are preconfigured with access to repositories in the same project. You must configure or modify permissions yourself if:

  • You are using a service account in one project to access Artifact Registry in a different project
  • You are using a service account with read-only access to storage, but you want the service account to both pull and push images
  • You are using a custom service account to interact with Artifact Registry.
  • You are deploying to Google Kubernetes Engine clusters and you are using a version of GKE that does not include default integration with Artifact Registry

Integrations within Google Cloud include: