This page describes the access control options available in Container Registry and how to use an encryption key with Container Registry.
Container Registry uses a Cloud Storage bucket as the backend for serving container images. You can control who has access to your Container Registry images by adjusting permissions for the Cloud Storage bucket.
You manage access control in Cloud Storage by using the GCP Console
or the gsutil command-line tool. Refer to the
gsutil iam documentation for more
information.
Permissions and roles
The table below explains the permissions and roles required for Container Registry actions.
If you are granting a role for the individual storage bucket rather than for the entire GCP project, ensure that you have first pushed an image to Container Registry in the wanted host location so that the underlying storage bucket exists.
| Action | Permissions | Role | Role Title |
|---|---|---|---|
| Push (Read and Write) |
storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update |
roles/storage.admin | Storage Admin |
| Pull (Read Only) |
storage.objects.get storage.objects.list |
roles/storage.objectViewer | Storage Object Viewer |
If you enable Bucket Policy Only for any storage bucket, make sure that all Container Registry users and service accounts have the above roles explicitly set. In this case, the Owner and Editor roles by themselves might not grant the required permissions.
Granting users and other projects access to a registry
To give specific users or container clusters running on other projects permissions to pull images from a registry, you need to grant read permission on the underlying Cloud Storage bucket.
The bucket which backs your images will have a [BUCKET_NAME] of the form:
artifacts.[PROJECT-ID].appspot.comfor images pushed to a registry in the hostgcr.io, or[REGION].artifacts.[PROJECT-ID].appspot.com, where:[PROJECT-ID]is your Google Cloud Platform Console project ID.[REGION]is:usfor registries in the hostus.gcr.ioeufor registries in the hosteu.gcr.ioasiafor registries in the hostasia.gcr.io
You can grant read permission on the underlying Cloud Storage bucket using the Google Cloud Platform Console or the command line.
Console
- Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
- Visit the Cloud Storage page in the GCP Console.
Click the
artifacts.[PROJECT-ID].appspot.comand/or[REGION].artifacts.[PROJECT-ID].appspot.combucket's link. Here,[PROJECT-ID]is the GCP project ID of the project that hosts your Container Registry and[REGION]corresponds to the[REGION].gcr.ioregistry hosting the image.Select the Permissions tab.
Click Add members.
From the menu that appears, fill the Members field with the email addresses of users needing read permission, separated by commas. This email address can be one of the following:
- a Google account (for example,
someone@example.com) - a Cloud IAM service account
- the Compute Engine default service account
of another project. This account is used by the Google Kubernetes Engine
to pull container images clusters by default. It is in the form
[PROJECT_NUMBER]-compute@developer.gserviceaccount.com, where[PROJECT-NUMBER]is the GCP project number of the project that is running the Google Kubernetes Engine cluster.
- a Google account (for example,
From the Select a role drop-down menu's Storage category, select Storage Object Viewer.
Click Add.
This procedure grants the user read permission for the whole bucket.
gsutil
- Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
Run the following command in your shell or terminal window:
gsutil iam ch [TYPE]:[EMAIL-ADDRESS]:objectViewer gs://[BUCKET_NAME]where:
[TYPE]can be one of the following:serviceAccount, if[EMAIL-ADDRESS]specifies a service account.user, if the[EMAIL-ADDRESS]is a Google account.
[EMAIL-ADDRESS]can be one of the following:- a Google account (for example,
someone@example.com) - a Cloud IAM service account
- the
Compute Engine default service account
of another project. This account is used by Google Kubernetes Engine
to pull container images clusters by default. It is in the form
[PROJECT_NUMBER]-compute@developer.gserviceaccount.com, where[PROJECT-NUMBER]is the GCP project number of the project that is running the Google Kubernetes Engine cluster.
- a Google account (for example,
[BUCKET_NAME]is the name of the Cloud Storage bucket which hosts the images, as described above.
The gsutil iam ch command changes the IAM permissions of the storage
bucket where the registry is hosted. Giving an account objectViewer
permissions allows the account to pull images from the registry.
Serving images publicly
Container Registry is publicly accessible if the host location's underlying storage bucket is publicly accessible. Within a project, all images in each host location are either public or not. Within a project's host, it is not possible to publicly serve only specific images. If you have specific images you want to make public:
- Take care to keep them in a separate host location which you make public, or
- Create a new project to hold a publicly accessible images.
To serve container images publicly, make the repository's underlying storage bucket publicly accessible by following these steps:
Console
Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
Open the Container Registry page in the GCP Console.
On the left panel, click on Settings.
On the Settings page under Public access, toggle the visibility to Public or Private. This setting controls the access to the underlying storage bucket.
When the host's visibility is public, all images in your Google Cloud Platform project that are in that host location are publicly accessible.
gsutil
Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
Find the name of the Cloud Storage bucket for that registry. To do so, list the buckets:
gsutil lsYour Container Registry bucket URL will be listed as
gs://artifacts.[PROJECT-ID].appspot.comorgs://[REGION].artifacts.[PROJECT-ID].appspot.com, where:[PROJECT-ID]is your Google Cloud Platform Console project ID. Domain-scoped projects will have the domain name as part of the project ID.[REGION]is:usfor registries in the hostus.gcr.ioeufor registries in the hosteu.gcr.ioasiafor registries in the hostasia.gcr.io
Make the storage bucket of the Container Registry publicly accessible by running the following command. This command will make all images in the bucket publicly accessible.
gsutil iam ch allUsers:objectViewer gs://[BUCKET_NAME]where:
gs://[BUCKET_NAME]is the Container Registry's bucket URL
Pulling a publicly accessible image
When the Container Registry is publicly accessible, anyone can pull its images. For instructions, see Pulling images from a registry.
Using Customer-Managed Encryption Keys
You can use a Cloud Key Management Service encryption key with Container Registry by using the encryption key with the underlying storage bucket. To do so:
Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
Follow the Cloud Storage instructions for Using Customer-Managed Encryption Keys with the storage bucket.
Revoking permissions
Console
- Visit the Cloud Storage page in the GCP Console.
Click the
artifacts.[PROJECT-ID].appspot.comand/or[REGION].artifacts.[PROJECT-ID].appspot.combucket's link. Here,[PROJECT-ID]is the GCP project ID of the project that hosts your Container Registry and[REGION]corresponds to the[REGION].gcr.ioregistry hosting the image.Select the Permissions tab.
Click the trash icon next to any member you wish to remove.
gsutil
Run the following command in your shell or terminal window:
gsutil iam ch -d [MEMBER] gs://[BUCKET_NAME]
where:
[MEMBER]can be one of the following:user:[EMAIL_ADDRESS]for a Google accountserviceAccount:[EMAIL_ADDRESS]for a Cloud IAM service accountallUsersfor revoking public access
[BUCKET_NAME]is the name of the desired bucket
