Create repositories

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to create Artifact Registry repositories.

Before you begin

  1. Enable Artifact Registry, including enabling the Artifact Registry API and installing Google Cloud CLI.
  2. (Optional) Configure defaults for gcloud commands.
  3. You must have the Artifact Registry Administrator role or a role with equivalent permissions.

Overview

You must create a repository before you can upload artifacts. Each repository can contain artifacts for a single supported format.

All repository content is encrypted using either Google-managed or customer-managed encryption keys. Artifact Registry uses Google-managed encryption keys by default and no configuration is required for this option.

Artifact Registry supports CMEK organization policies that can require CMEK protection and can limit which Cloud KMS CryptoKeys can be used for CMEK protection.

For information about managing existing repositories, see the following information:

Setting up CMEK for repositories

By default, Google Cloud automatically encrypts data when it is at rest with Google-managed encryption keys that you manage in Cloud Key Management Service (KMS). If you have specific compliance or regulatory requirements related to the keys that protect your data, you can create repositories that use customer-managed-encryption keys (CMEK) to encrypt repository content.

Before you create a repository that you want to encrypt with CMEK, you must create and enable a key in Cloud KMS. You can then assign the key to the repository when you create it.

You cannot change the encryption mechanism of an existing repository. If you have a CMEK-encrypted repository, you cannot change the encryption mechanism to Google default encryption or assign a different Cloud KMS key for encryption.

Overview

When you create a repository, you must choose the following settings:

You cannot change these settings after you create the repository.

The following table summarizes the available artifact formats, the corresponding repository for the format, and the value to use for creating the repository with the Google Cloud CLI.

Artifact Repository format gcloud setting
Container images or Helm charts Docker docker
Java packages Maven maven
Node.js packages npm npm
Python packages Python python
Debian packages APT apt
RPM packages Yum yum
Kubeflow pipeline templates Kubeflow Pipelines kfp

Create and configure repositories

To create and configure a new repository:

  1. If you are using CMEK to encrypt repository data, create the key you will use with this repository and grant permissions to use the key. See Enabling customer-managed encryption keys.

  2. Add the repository.

    Console

    1. Open the Repositories page in the Google Cloud console.

      Open the Repositories page

    2. Click Create Repository.

    3. Specify the repository name. For each repository location in a project, repository names must be unique.

    4. Specify the repository format.

    5. If you are creating a Maven repository, configure the repository version policy.

      1. Choose a version policy:

        • None - No version policy. Store both release and snapshot packages.
        • Release - Store only release packages.
        • Snapshot - Store only snapshot packages.
      2. If you want a snapshot repository to accept non-unique snapshots that overwrite existing versions in the repository, select Allow snapshot overwrites.

    6. Under Location Type, choose the location for the repository:

      1. Choose the location type: Region or Multi-Region. The list of locations changes to reflect your selection.

      2. In the Region or Multi-region list, select a location.

      For information about location types and supported locations, see Repository locations

    7. Add a description for the repository. Descriptions help to identify the purpose of the repository and the kind of artifacts it contains.

      Do not include sensitive data, since repository descriptions are not encrypted.

    8. If you want to use labels to organize your repositories, click Add Label and enter the key-value pair for the label. You can add, edit, or remove labels after you create the repository.

    9. In the Encryption section, choose the encryption mechanism for the repository.

      • Google-managed key - Encrypt repository content with a Google-managed encryption key.
      • Customer-managed key - Encrypt repository content with a key that you control through Cloud Key Management Service. For key setup instructions, see Setting up CMEK for repositories.
    10. Click Create.

    gcloud

    Run the command to create a new repository.

    gcloud artifacts repositories create REPOSITORY \
        --repository-format=FORMAT \
        [--location=LOCATION] \
        [--description="DESCRIPTION"] \
        [--kms-key=KMS-KEY] \
        [--async] \
    
    • REPOSITORY is the name of the repository. For each repository location in a project, repository names must be unique.
    • FORMAT is the repository format.
    • LOCATION is the regional or multi-regional location for the repository. You can omit this flag if you set a default. To view a list of supported locations, run the command:

      gcloud artifacts locations list
      
    • DESCRIPTION is a description of the repository. Do not include sensitive data, since repository descriptions are not encrypted.

    • KMS-KEY is the full path to the Cloud KMS encryption key, if you are using a customer-managed encryption key to encrypt repository contents. The path is in the format:

      projects/KMS-PROJECT/locations/KMS-LOCATION/keyRings/KEY-RING/cryptoKeys/KEY
      

      Where

      • KMS-PROJECT is the project where your key is stored.
      • KMS-LOCATION is the location of the key.
      • KEY-RING is the name of the key ring.
      • KEY is the name of the key.
    • --async returns immediately, without waiting for the operation in progress to complete.

    By default, Maven repositories store both snapshot and release versions of packages. If you want to store snapshot and release versions in different repositories, specify the version policy for the repository when you create it.

    gcloud artifacts repositories create REPOSITORY \
        --repository-format=FORMAT \
        [--location=LOCATION] \
        [--description="DESCRIPTION"] \
        [--kms-key=KMS-KEY] \
        [--version-policy=VERSION-POLICY] \
        [--allow-snapshot-overwrites] \
        [--async] \
    

    The following flags are specific to Maven repositories:

    --version-policy=VERSION-POLICY
    Specifies the types of packages to store in the repository. You can set VERSION-POLICY to:
    • None - No version policy. Store both release and snapshot packages. If you do not include the --version-policy flag in your command, this is the default setting.
    • Release - Store only release packages.
    • Snapshot - Store only snapshot packages.
    --allow-snapshot-overwrites

    For snapshot repositories only. If you specify this flag, you can publish non-unique snapshots that overwrite existing versions in the repository.

    Terraform

    Use beta version of the google_artifact_registry_repository resource to create repositories.

    If you are new to using Terraform for Google Cloud, see the Get Started - Google Cloud page on the HashiCorp website.

    The following example defines the provider and a repository with the Terraform resource name my-repo.

    provider "google" {
        project = "PROJECT-ID"
    }
    
    resource "google_artifact_registry_repository" "my-repo" {
      provider = google-beta
    
      location = "LOCATION"
      repository_id = "REPOSITORY"
      description = "DESCRIPTION"
      format = "FORMAT"
      kms_key_name = "KEY"
    }
    

    Where

    • PROJECT-ID is the Google Cloud project ID.
    • REPOSITORY is the repository name.
    • LOCATION is the repository location.
    • DESCRIPTION is the optional description for the repository. Do not include sensitive data, since repository descriptions are not encrypted.
    • FORMAT is the format of repository.

      • DOCKER
      • KFP
      • MAVEN
      • NPM
      • PYTHON
      • APT
      • YUM
    • KEY is the name of the Cloud Key Management Service key, if you are using customer-managed encryption keys (CMEK) for encryption. Omit this argument to use the default setting, Google-managed encryption keys.

    For Maven repositories only, you can specify a version policy for the repository using a maven_config block. This block supports the following settings:

    • version_policy sets the version policy with one of the following values:
      • VERSION_POLICY_UNSPECIFIED: Store snapshot and release packages. This is the default setting.
      • RELEASE: Store release packages only.
      • SNAPSHOT: Store snapshot packages only.
    • allow_snapshot_overwrites configures a repository with a SNAPSHOT version policy to accept non-unique snapshots that overwrite existing versions in the repository.

    The following example defines a Maven repository with a release version policy.

    provider "google" {
      project = "my-project"
    }
    
    resource "google_artifact_registry_repository" "my-repo" {
      provider = google-beta
    
      location = "us-central1"
      repository_id = "my-repo"
      description = "Maven repository"
      format = "MAVEN"
      maven_config {
        version_policy = "RELEASE"
      }
    }
    
  3. Grant permissions for accessing the repository.

    If you have granted any Artifact Registry roles at the project level, those roles are inherited by repositories in the project. If you want team members to have different levels of access to the repositories in your project, grant roles at the repository level.

  4. To interact with repositories from Docker or package managers, you must configure authentication for those tools. Refer to the appropriate page:

Update repository descriptions

You can update the description of an existing repository with the following command:

gcloud artifacts repositories update REPOSITORY [--project=PROJECT] \
[--location=LOCATION] --description="DESCRIPTION"

WHERE

  • REPOSITORY is the name of the repository. If you configured a default repository, you can omit this flag to use the default.
  • PROJECT is the Google Cloud project ID. If this flag is omitted, the current or default project is used.
  • LOCATION is a regional or multi-regional location. Use this flag to view repositories in a specific location. If you configured a default location, you can omit this flag to use the default.
  • DESCRIPTION is a description for the repository.

For more information about the command, run the following command:

 gcloud artifacts repositories update --help

What's next