Configuring access control

This page describes permissions to control access to Container Registry.

After you have configured permissions, you can then configure authentication for Docker clients that you use to push and pull images.

General access requirements

All users, service accounts, and other identities that interact with Container Registry must have the appropriate Cloud Identity and Access Management (Cloud IAM) permissions for Cloud Storage storage.

For the service account used by Compute Engine VMs, including VMs in Google Kubernetes Engine clusters, access is based on both Cloud IAM permissions and access scopes.

Cloud IAM permissions

Cloud Identity and Access Management permissions determine who can access resources. All users, service accounts, and other identities that interact with Container Registry must have the appropriate Cloud Storage permissions.

By default, Google Cloud use default service accounts to interact with resources within the same project. For example, the Cloud Build service account can both push and pull images when Container Registry is in the same project.

You must configure or modify permissions yourself if:

You are using a service account in one project to access Container Registry in a different project
You are using a default service account with read-only access to storage, but you want to both pull and push images
You are using a custom service account to interact with Container Registry

Access scopes for VMs and clusters

For service accounts associated with Compute Engine VMs, including VMs in GKE clusters, access to storage is based on both Cloud IAM permissions and the configured storage access scope.

The Compute Engine default service account is configured to pull images in the same project as the VM. If you need a VM or GKE cluster to pull images or interact with Container Registry in a different project, see Using Container Registry with Google Cloud.

Configuring Cloud IAM permissions

Container Registry uses Cloud Storage buckets as the underlying storage for container images. You control access to your images by granting appropriate Cloud Storage permissions to a user, group, service account, or other identity.

Cloud Storage permissions granted at the project level apply to all storage buckets in the project, not just the buckets used by Container Registry. To configure permissions specific to Container Registry, grant permissions on the storage bucket used by the registry. Container Registry ignores permissions set on individual objects within the storage bucket.

Although you can also use the project-level roles Owner, Editor, and Viewer to grant access, the Cloud Storage roles enables you to apply the security principle of least privilege, so that users and service accounts only have the permissions that are required.

Google Cloud products and applications that interact with Google Cloud use service accounts to interact with Container Registry. The following considerations apply to service account access:

By default, service accounts for some common integrations are configured with access to Container Registry within the same project. For example, by default the Cloud Build service account can push and pull images in the same project.
If the service account needs to access Container Registry in another project, you must grant the required permissions in the project with Container Registry.
VM instances, including those in Google Kubernetes Engine clusters, must have the correct storage access scopes configured to push or pull images. By default, VMs can pull images when Container Registry is in the same project.

Permissions and roles

The table below explains the permissions and roles required for Container Registry actions.

For more information about Cloud Storage roles and permissions, see the Cloud Storage documentation.

Action	Permissions	Role	Role Title
Push (Read and Write)	storage.buckets.create storage.buckets.delete storage.buckets.get storage.buckets.list storage.buckets.update storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update	roles/storage.admin	Storage Admin
Pull (Read Only)	storage.objects.get storage.objects.list	roles/storage.objectViewer	Storage Object Viewer

Action

Permissions

Role

Role Title

Push (Read and Write)

storage.buckets.create

storage.buckets.delete

storage.buckets.get

storage.buckets.list

storage.buckets.update

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

storage.objects.update

roles/storage.admin

Storage Admin

Pull (Read Only)

storage.objects.get

storage.objects.list

roles/storage.objectViewer

Storage Object Viewer

Granting Cloud IAM permissions

Grant permissions on the storage bucket that Container Registry uses.

Granting permissions

If the Container Registry host location (gcr.io, asia.gcr.io, eu.gcr.io, us.gcr.io) does not already exist in the project, a user with Owner, Editor, or Storage Admin permissions must create the storage bucket by pushing an image to the host.
In the project with Container Registry, grant the appropriate permissions on the Cloud Storage bucket used by the host name.

The bucket that stores your images has the name BUCKET-NAME of the form:
- artifacts.PROJECT-ID.appspot.com for images pushed to a registry in the host gcr.io, or
- STORAGE-REGION.artifacts.PROJECT-ID.appspot.com
Where
- PROJECT-ID is your Google Cloud Console project ID.
- STORAGE-REGION is the location of the storage bucket:
  - us for registries in the host us.gcr.io
  - eu for registries in the host eu.gcr.io
  - asia for registries in the host asia.gcr.io
You can grant permission for a bucket using the Google Cloud Console or the gsutil command-line tool.
Console
1. Visit the Cloud Storage page in the Cloud Console.
2. Click the link artifacts.PROJECT-ID.appspot.com or STORAGE-REGION.artifacts.PROJECT-ID.appspot.com for the bucket.
  
  Here, PROJECT-ID is the Google Cloud project ID of the project that hosts Container Registry and STORAGE-REGION is the multi-region (asia, eu, or us) of the registry hosting the image.
3. Select the Permissions tab.
4. Click Add members.
5. From the menu that appears, fill the Members field with the email addresses of users needing permission, separated by commas. This email address can be one of the following:
  - a Google account (for example, someone@example.com)
  - A Google group (for example, my-developer-team@googlegroups.com)
  - an IAM service account
  - the Compute Engine default service account of another project. This account is used by the Google Kubernetes Engine to pull container images clusters by default. It is in the form PROJECT-NUMBER-compute@developer.gserviceaccount.com, where PROJECT-NUMBER is the Google Cloud project number of the project that is running the Google Kubernetes Engine cluster.
6. From the Select a role drop-down menu, select the Storage category, and then select the appropriate permission.
  - Storage Object Viewer to pull images only
  - Storage Object Admin to push and pull images
7. Click Add.
Note: Email addresses and domains must be associated with an active Google Account or Google Apps account.
gsutil
1. Run the following command to list buckets in the project:
```
gsutil ls
```
  The response looks like the following example:
```
gs://[BUCKET_NAME1]/
gs://[BUCKET_NAME2]/
gs://[BUCKET_NAME3]/ ...
```
2. Run the following command in your shell or terminal window:
```
gsutil iam ch TYPE:EMAIL-ADDRESS:ROLE gs://BUCKET_NAME
```
  Where
  - TYPE can be one of the following:
    
    serviceAccount, if EMAIL-ADDRESS specifies a service account.
    
    user, if the EMAIL-ADDRESS is a Google account.
    
    group, if the EMAIL-ADDRESS is a Google group.
  - EMAIL-ADDRESS can be one of the following:
    
    a Google account (for example, someone@example.com)
    
    A Google group (for example, my-developer-team@googlegroups.com)
    
    an IAM service account
    
    the Compute Engine default service account of another project. This account is used by Google Kubernetes Engine to pull container images clusters by default. It is in the form PROJECT_NUMBER-compute@developer.gserviceaccount.com, where PROJECT_NUMBER is the Google Cloud project number of the project that is running the Google Kubernetes Engine cluster.
  - ROLE is the Cloud Storage role you want to grant.
    
    objectViewer to pull images
    
    objectAdmin to push and pull images
  - BUCKET_NAME is the name of the Cloud Storage bucket in the form artifacts.PROJECT-ID.appspot.com or STORAGE-REGION.artifacts.PROJECT-ID.appspot.com
The gsutil iam ch command changes the Cloud IAM permissions of the storage bucket where the registry is hosted. Giving an account objectViewer permissions allows the account to pull images from the registry.

Note: Email addresses and domains must be associated with an active Google Account or Google Apps account.

Refer to the gsutil iam documentation for more information about the command.
Compute Engine and Google Kubernetes Engine are configured with permissions to pull images by default from Container Registry in the same project. If you have other requirements for these integrations, see Integration with Google Cloud services.

Configuring public access to images

Container Registry is publicly accessible if the host location's underlying storage bucket is publicly accessible. Within a project, all images in each host location are either public or not. Within a project's host, it is not possible to publicly serve only specific images. If you have specific images you want to make public:

Take care to keep them in a separate host location which you make public, or
Create a new project to hold a publicly accessible images.

To serve container images publicly, make the underlying storage bucket publicly accessible by following these steps:

Console

Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
Open the Container Registry page in the Cloud Console.

Open the Container Registry page
On the left panel, click on Settings.
On the Settings page under Public access, toggle the visibility to Public or Private. This setting controls the access to the underlying storage bucket.

When the host's visibility is public, all images in your Google Cloud project that are in that host location are publicly accessible.

gsutil

Ensure you have pushed an image to Container Registry so that the underlying storage bucket exists.
Find the name of the Cloud Storage bucket for that registry. To do so, list the buckets:
```
gsutil ls
```
Your Container Registry bucket URL will be listed as gs://artifacts.PROJECT-ID.appspot.com or gs://STORAGE-REGION.artifacts.PROJECT-ID.appspot.com, where:
- PROJECT-ID is your Google Cloud Console project ID. Domain-scoped projects will have the domain name as part of the project ID.
- STORAGE-REGION is the location of the storage bucket:
  - us for registries in the host us.gcr.io
  - eu for registries in the host eu.gcr.io
  - asia for registries in the host asia.gcr.io
Make the storage bucket of the Container Registry publicly accessible by running the following command. This command will make all images in the bucket publicly accessible.
```
gsutil iam ch allUsers:objectViewer gs://BUCKET-NAME
```
where:
- gs://BUCKET-NAME is the Container Registry's bucket URL

When the Container Registry is publicly accessible, anyone can pull its images. For instructions, see Pulling images from a registry.

Revoking permissions

Use the following steps to revoke Cloud IAM permissions.

Console

Visit the Cloud Storage page in the Cloud Console.
Click the link artifacts.PROJECT-ID.appspot.com or STORAGE-REGION.artifacts.PROJECT-ID.appspot.com for the bucket. Here, PROJECT-ID is the Google Cloud project ID of the project that hosts Container Registry and STORAGE-REGION is the multi-region (asia, eu, or us) of the registry hosting the image.
Select the Permissions tab.
Click the trash icon next to any member you wish to remove.

gsutil

Run the following command in your shell or terminal window:

gsutil iam ch -d MEMBER gs://BUCKET-NAME

where:

MEMBER can be one of the following:
- user:EMAIL-ADDRESS for a Google account
- serviceAccount:EMAIL-ADDRESS for an IAM service account
- group:EMAIL-ADDRESS for a Google group.
- allUsers for revoking public access
BUCKET-NAME is the name of the desired bucket

Integration with Google Cloud services

By default, service accounts for some common integrations are configured for either pull or pull and push access within the same project. Access is based on Cloud IAM permissions, and you only need to configure permissions if the service account is connecting to Container Registry in a different project.

The service account associated with Compute Engine VM instances, including VMs in GKE clusters, has an additional requirement. VM access to storage is based on granted Cloud IAM permissions and storage access scopes.

Cloud IAM permissions determine who can access a resources.
Access scopes determine the default OAuth scopes for requests made through the gcloud tool and client libraries on a VM instance. As a result, access scopes can further limit access to API methods when authenticating with application default credentials.
- To pull a private image, the VM service account must have read permission to the image's storage bucket.
- To push a private images, the VM service account must have read-write, cloud-platform, or full-control permission to the image's storage bucket.

By default, the default Compute Engine default service account has Editor permission for resources in the same project and the read-only storage access scope. The read-only scope limits a VM to pulling images only. The default service account has the suffix @developer.gserviceaccount.com.

The following setups require you to change the default permission or scope configuration.

Pushing images from a VM or cluster: If you want to push images, the VM instance service account must have the storage-rw scope instead of storage-ro.
The VM and Container Registry are in separate projects: You must grant the service account with Cloud IAM permissions to access the storage bucket used by Container Registry.
Running gcloud commands on VMs: The service account must have the cloud-platform scope. This scope grants permissions to push and pull images, as well as run gcloud commands.

Steps to configure permissions and scopes are in the following sections.

Configuring Cloud IAM permissions for VMs

By default, Compute Engine VMs can only access storage in the same project. If your VM needs to access Container Registry in a different project, you must grant permissions to the VM service account.

In the project with your VM instance, get the name of the Compute Engine default service account or the service account you associated with the VM instance. The default service account has the suffix @developer.gserviceaccount.com.
In the project with the Container Registry, grant permissions so that the service account can access the Container Registry.

Configuring scopes for VMs

To set access scopes when creating a VM, use the --scopes option.

gcloud compute instances create INSTANCE --scopes=SCOPE

Where

INSTANCE is the VM instance name.
SCOPE is the scope you want to configure for the VM service account:
- Pull images: storage-ro
- Pull and push images: storage-rw
- Pull and push images, run gcloud commands: cloud-platform

To change scopes for an existing VM instance:

Set the access scope with the --scopes option.

Stop the VM instance. See Stopping an instance.
Change the access scope with the following command.
```
gcloud compute instances set-service-account INSTANCE --scopes=SCOPE
```
Where
- INSTANCE is the VM instance name.
- SCOPE is the scope you want to configure for the VM service account:
  - Pull images: storage-ro
  - Pull and push images: storage-rw
  - Pull and push images, run gcloud commands: cloud-platform
Restart the VM instance. See Starting a stopped instance.

Configuring scopes for Google Kubernetes Engine clusters

By default, new GKE clusters are created with read-only permissions for Cloud Storage buckets.

To set the read-write storage scope when creating a Google Kubernetes Engine cluster, use the --scopes option. For example, the following command creates a cluster with the scopes bigquery, storage-rw, and compute-ro:

gcloud container clusters create example-cluster \
--scopes=bigquery,storage-rw,compute-ro

For more information about scopes you can set when creating a new cluster, refer to the documentation for the command gcloud container clusters create.