Configuring Access Control

This page describes the access control options available in Container Registry.

Container Registry uses a Cloud Storage bucket as the backend for serving container images. You can control who has access to your Container Registry images by adjusting permissions for the Cloud Storage bucket.

You manage access control in Cloud Storage by using the Console or the gsutil command-line tool. Refer to the gsutil acl and gsutil defacl documentation for more information.

Permissions and Roles

The following table explains the permissions and roles required for Container Registry actions.

Action Permissions Role Role Title
Push (Read and Write)

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

 roles/storage.admin Storage Admin
Pull (Read Only)

storage.objects.get

storage.objects.list

 roles/storage.objectViewer Storage Object Viewer

Granting specific users read permission for the Cloud Storage bucket

To grant specific users read permission, perform the following steps:

gcloud

Run the following commands in your shell or terminal window:

gsutil defacl ch -u [EMAIL-ADDRESS]:READ gs://artifacts.[PROJECT-ID].appspot.com
gsutil acl ch -r -u [EMAIL-ADDRESS]:READ gs://artifacts.[PROJECT-ID].appspot.com

where:

The gsutil defacl command changes the default access control list for your bucket, which affects all future objects in the bucket. The gsutil acl command recursively grants read-only permission for every existing object.

Console

  1. Visit the Cloud Storage page in Cloud Platform Console.
  2. Select the artifacts.[PROJECT-ID].appspot.com bucket's checkbox.
  3. Click Show Info Panel.
  4. From the menu that appears, fill the Add members field with the email addresses of users needing read permission, separated by commas.
  5. From the Select a role drop-down menu's Storage category, select Storage Object Viewer.
  6. Click Add.

This procedure grants the user read permission for the whole bucket.

Serving images publicly

To serve your Container Registry images publicly, perform the following steps:

  1. Create an empty project for the public registry. This is recommended to avoid inadvertently making private containers public.

  2. Push an image to your empty project's registry by running the following command in your shell or terminal window:

    docker tag [IMAGE] [HOSTNAME]/[YOUR-PROJECT-ID]/[IMAGE]
gcloud docker -- push [HOSTNAME]/[YOUR-PROJECT-ID]/[IMAGE]

  3. Display your project's Cloud Storage buckets:

    gsutil ls

    Your Container Registry bucket may be named gs://artifacts.[PROJECT-ID].appspot.com or gs://[REGION].artifacts.[PROJECT-ID].appspot.com.

  4. Set the default access control list to "read only" for all future objects by running the following command in your shell or terminal window:

    gsutil defacl ch -u AllUsers:READ gs://artifacts.[PROJECT-ID].appspot.com

  5. Mark all current objects (including the image you just pushed) in your registry public by running the following command in your shell or terminal window:

    gsutil acl ch -r -u AllUsers:READ gs://artifacts.[PROJECT-ID].appspot.com

  6. Make your registry's bucket publicly accessible:

    gsutil acl ch -u AllUsers:READ gs://artifacts.[PROJECT-ID].appspot.com

Adding new project members with Cloud Storage permissions

You can add new project members to your Google Cloud Platform project and grant them the Storage Object Viewer role.

To add a new members to a project, perform the following steps:

  1. Visit the IAM & Admin page in Cloud Platform Console.
  2. Click Add and provide email addresses in the Members field.
  3. From the Roles drop-down menu's Storage category, select Storage Object Viewer.
  4. Click Add.

Revoking permissions for specific users

To revoke permissions for specific users, run the following command in your shell or terminal window, where [EMAIL-ADDRESS] is the user's email address and [PROJECT-ID] is your project ID:

gsutil acl ch -d [EMAIL-ADDRESS] gs://artifacts.[PROJECT-ID].appspot.com

Send feedback about...

This page
Documentation feedback
Container Registry
Product feedback