Using Container Registry with Google Cloud Platform

Compute resources in Google Cloud Platform are integrated with Container Registry for easy access.

Compute Engine

To pull private Docker images from a Compute Engine instance, ensure that your instance has read permission for the image's bucket. This is configured correctly by default if your instance and the image bucket are in the same Google Cloud Platform project.

To push private Docker images from a Compute Engine instance, your instance must have read-write or full-control permission to the image's bucket.

To start an instance with read-write permission to your Storage buckets, run the command:

gcloud compute instances create INSTANCE \

Container-optimized Compute Engine Instances

For information about how to start a container-optimized Compute Engine instance using an image in your registry, see Starting a Docker container via cloud-config.

For additional information, see Creating and Configuring Instances.

Kubernetes Engine

Kubernetes Engine clusters are automatically configured with access to pull private images from the Container Registry in the same project. You do not need to follow additional steps to configure authentication if the registry and the cluster are in the same Cloud project.

You can run a Container Registry image on a Kubernetes Engine cluster using the following command:

kubectl run [NAME] --image=[IMAGE_NAME]


  • [NAME] is the name of the resource
  • [IMAGE_NAME] is the name of the image in Container Registry. The name format should be *

For more information about Kubernetes commands, see kubectl Overview. If your images are on another project, you explicitly need to grant read access to the service account used by the Kubernetes Engine cluster on the storage bucket storing the images.

Read more about Configuring Access Control to find out how to give access to pull images from clusters running in other projects.

Kubernetes Engine uses the service account configured on the VM instances of cluster nodes to pull images from registries. Therefore, the service account used to pull the images is:

  • in the form [PROJECT_ID] by default, or
  • the same value as the --service-account option, if this option was specified while creating the cluster using gcloud.

App Engine Flexible Environment

You can use the App Engine Flexible Environment to customize an existing runtime (such as Java 8), or to provide your own runtime by supplying a custom Docker image or Dockerfile.

The flexible environment automatically builds your container images using Container Builder and stores them in Container Registry.

Deploying to App Engine

You can deploy an image hosted by Container Registry to App Engine using the gcloud command-line tool.

You can use the gcloud beta app gen-config command in your image's root directory to automatically create the app.yaml file needed to deploy to App Engine. Alternatively, you can write the file yourself.

Once you have created the App Engine configuration file, built your Docker image, and pushed your image to Container Registry , you can deploy your image to App Engine by running the following command:

gcloud app deploy --image-url=[IMAGE_NAME]

where [IMAGE_NAME] is name of the image in Container Registry. For example:

  • *, or
  • *

Send feedback about...

Container Registry