Compute resources in Google Cloud Platform are integrated with Container Registry for easy access.
Google Compute Engine
To pull private Docker images from a Compute Engine instance,
ensure that your instance has
read permission for the image's bucket.
This is configured correctly by default if your instance and the image bucket
are in the same Google Cloud Platform project.
To push private Docker images from a Compute Engine
instance, your instance must have
to the image's bucket.
To start an instance with
read-write permission to your Storage buckets,
run the command:
gcloud compute instances create INSTANCE \ --scopes https://www.googleapis.com/auth/devstorage.read_write
Container-optimized Compute Engine Instances
For information about how to start a container-optimized Google Compute Engine instance using an image in your registry, see Starting a Docker container via cloud-config.
For additional information, see Creating and Configuring Instances.
Google Kubernetes Engine
Kubernetes Engine clusters are automatically configured with access to pull private images from the Container Registry in the same project. You do not need to follow additional steps to configure authentication if the registry and the cluster are in the same Cloud project.
You can run a Container Registry image on a Kubernetes Engine cluster using the following command:
kubectl run [NAME] --image=[IMAGE_NAME]
[NAME]is the name of the resource
[IMAGE_NAME]is the name of the image in Container Registry. The name format should be
For more information about Kubernetes commands, see kubectl Overview. If your images are on another project, you explicitly need to grant read access to the service account used by the Kubernetes Engine cluster on the storage bucket storing the images.
Read more about Configuring Access Control to find out how to give access to pull images from clusters running in other projects.
Kubernetes Engine uses the service account configured on the VM instances of cluster nodes to pull images from registries. Therefore, the service account used to pull the images is:
- in the form
[PROJECT_ID]-firstname.lastname@example.org default, or
- the same value as the
--service-accountoption, if this option was specified while creating the cluster using
Google App Engine Flexible Environment
You can use the App Engine Flexible Environment to customize an existing runtime (such as Java 8), or to provide your own runtime by supplying a custom Docker image or Dockerfile.
The flexible environment automatically builds your container images using Container Builder and stores them in Container Registry.
Deploying to App Engine
You can deploy an image hosted by Container Registry to App Engine using
gcloud command-line tool.
You can use the
gcloud beta app gen-config
command in your image's root directory to automatically create the
file needed to deploy to App Engine. Alternatively, you can write the file
Once you have created the App Engine configuration file, built your Docker image, and pushed your image to Container Registry , you can deploy your image to App Engine by running the following command:
gcloud app deploy --image-url=[IMAGE_NAME]
[IMAGE_NAME] is name of the image in Container Registry. For