Configuring Cloud Pub/Sub notifications

When changes are made to your Container Registry repository, such as when images are pushed, tagged, or deleted, you can receive notifications using Cloud Pub/Sub.

Cloud Pub/Sub publishes messages about your repository to named resources called topics. These messages are received by applications subscribed to Cloud Pub/Sub topics. Subscriber applications send notifications when your repository's state changes.

Additionally, you can configure roles and permissions for your Cloud Pub/Sub topics to control how users interact with your repository.

Create a Cloud Pub/Sub topic

For each Container Registry project for which you'd like notifications, you need to create a Cloud Pub/Sub topic using a Cloud Pub/Sub publisher application.

A publisher application sends messages to your repository's topic when your repository's state changes. You can create a topic using either the GCP Console or the gcloud command-line tool.

When you create a topic, you need to use a qualified URI for your repository. The qualified URI is:

projects/[PROJECT-ID]/topics/gcr

where [PROJECT-ID] is your Google Cloud Platform project ID.

To create a topic:

gcloud pubsub topics create projects/[PROJECT-ID]/topics/gcr

Create a Cloud Pub/Sub subscription

Every Cloud Pub/Sub topic should have a Cloud Pub/Sub subscription.

A subscriber application receives messages from your repository's topic. Subscribers fulfill tasks like event notifications, system logging, and communication between applications.

Subscriptions can be configured to use a push model or a pull model.

To create a subscription:

gcloud pubsub subscriptions create [SUBSCRIPTION-NAME] --topic=gcr

Configuring Cloud Pub/Sub permissions

You can use Cloud Pub/Sub access control to configure permissions for your project and resources. Access controls keep your repository secure and allow you to manage user permissions using role-based access.

You can configure Cloud Pub/Sub access controls in the GCP Console's IAM page or via the IAM API.

• To configure permissions for publishing, use any of the following roles: owner, editor, pubsub.admin, pubsub.editor, pubsub.publisher

• To configure permissions for subscribing, use any of the following roles: owner, editor, pubsub.admin, pubsub.editor, pubsub.subscriber

Notification examples

Notifications are sent as JSON-formatted strings. Below are examples of what to expect when receiving Container Registry notifications from Cloud Pub/Sub.

When an image is pushed to Container Registry, the notification payload might look like this:

{
  "action":"INSERT",
  "digest":"gcr.io/my-project/hello-world@sha256:6ec128e26cd5..."
}

When a new tag is pushed to Container Registry, the notification payload might look like this:

{
  "action":"INSERT",
  "digest":"gcr.io/my-project/hello-world@sha256:6ec128e26cd5...",
  "tag":"gcr.io/my-project/hello-world:1.1"
}

The message identifies the relevant image using either a digest or tag key.

When a tag is deleted from Container Registry, the notification payload might look like this:

{
  "action":"DELETE",
  "tag":"gcr.io/my-project/hello-world:1.1"
}

The message might contain either DELETE or INSERT as values for the action key.

What's next

• Read the Cloud Pub/Sub documentation.
• For an in-depth explanation of Cloud Pub/Sub, see What is Cloud Pub/Sub?
• Learn more about Cloud Pub/Sub access control roles.