Container Registry service account

The Container Registry Service Agent is a Google-managed service account that acts on behalf of Container Registry when interacting with Google Cloud services.

To enforce the security principle of least privilege, this service account is granted the Container Registry Service Agent role in projects where the Container Registry API was enabled after October 5, 2020. This role has the following permissions:

  • Publish topics: pubsub.topics.publish
  • Read storage object ACLs: storage.objects.getIamPolicy
  • Read storage object data and metadata: storage.objects.get
  • List storage objects in a bucket and read object metadata: storage.objects.list

Previously, the Container Registry service account was granted the Editor role. Since the Editor role grants permissions to create and delete most resources in a project, we recommend restricting permissions if your Container Registry service account has this role.

Finding the service account ID

The Container Registry service account has the following ID:

service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com

To find the service account, look at the list of principals that have access to your project.

Console

  1. Go to the IAM page.

  2. To add Google-managed accounts to the list of principals, select the Include Google-provided role grants check box.

  3. To filter the list, enter containerregistry in the Filter field.

gcloud

Run the following command to list principals that contain the string containerregistry:

gcloud projects get-iam-policy PROJECT-ID \
    --flatten="bindings[].members"
    --filter="containerregistry"

Replace PROJECT-ID with your Google Cloud project ID.

Verifying current permissions

To verify the current permissions of your Container Registry service account, run the command:

gcloud projects get-iam-policy PROJECT-ID  \
    --flatten="bindings[].members" \
    --format='table(bindings.role)' \
    --filter="bindings.members:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com"

Where

  • PROJECT-ID is the Google Cloud project ID.
  • PROJECT-NUMBER is the Google Cloud project number.

You can obtain the project ID and project number in the Google Cloud console or with the following commands:

PROJECT=$(gcloud config get-value project)
echo $PROJECT && gcloud projects list --filter="$PROJECT" --format="value(PROJECT_NUMBER)"

Changing permissions

To grant the Container Registry Service Agent role and revoke the Editor role:

  1. Grant the Container Registry Service Agent role with the following command:

    gcloud projects add-iam-policy-binding PROJECT-ID \
    --member=serviceAccount:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com --role=roles/containerregistry.ServiceAgent
    
  2. Revoke the Editor role with the following command:

    gcloud projects remove-iam-policy-binding PROJECT-ID \
    --member=serviceAccount:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com --role=roles/editor