Artifact Registry IAM

Apr 1, 2025 registry containers iam
Share on:

Artifact Registry is replacing Container Registry. If you want to access your Artifact Registry, there are couple of things to know. In this blog post, learn how to make a registry public or provide specific users with access.

To get started we will build a demo container and make this available for upload/download using Artifact Registry. This tutorial will guide you through the process of setting up a public Docker container registry using Google Cloud Artifact Registry. By making your registry public, anyone with internet access is allowed to pull your container images.

Prerequisites

  • A Google Cloud Project with billing enabled.
  • The Google Cloud CLI (gcloud) installed and configured to point to your project.
  • Docker installed on your local machine.

Step 1: Create a Sample Docker Image

First, let's create a simple Docker image that we will later push to our Artifact Registry.

  1. Create a Dockerfile: Create a new directory and within it, create a file named Dockerfile with the following content:

    1FROM debian:stable-slim
2
3ENTRYPOINT ["echo"]
4CMD ["Hello from Artifact Registry!"]

    This Dockerfile uses a minimal Debian image and sets the command to simply echo a message.

Step 2: Create a Docker Artifact Registry

Create a Docker repository within Google Cloud Artifact Registry to store our container images.

  1. Choose a Repository Name and Location: Select a unique name for your repository (replace REPOSITORY_NAME below) and a Google Cloud region that is geographically close to you (replace LOCATION below, e.g., europe-west2 for London).

  2. Create the Repository: Execute the following gcloud command:

    1gcloud artifacts repositories create REPOSITORY_NAME \
2    --repository-format=docker \
3    --location=LOCATION \
4    --description="Public Docker repository for my application" \
5    --mode=standard
    • REPOSITORY_NAME: The name you choose for your repository (e.g., my-public-repo).
    • --repository-format=docker: Specifies that this repository will store Docker container images.
    • --location=LOCATION: The Google Cloud region where the repository will be located (e.g., us-central1).
    • --description: An optional but recommended description for your repository.
    • --mode=standard: The standard mode provides a fully managed Artifact Registry. Other modes like remote and virtual are for more advanced use cases.

  3. Note the Registry Signature: Once created, your Artifact Registry will have a unique signature that you'll use when tagging and pushing images. The format is:

    1[LOCATION]-docker.pkg.dev/[PROJECT_ID]/[REPOSITORY_NAME]

    For example, if your project ID is my-gcp-project, your repository name is my-public-repo, and your location is us-central1, the signature would be:

    1us-central1-docker.pkg.dev/my-gcp-project/my-public-repo

Step 3: Tag and Push the Docker Image

Build the Docker image and tag it with the Artifact Registry signature before pushing it.

  1. Build the Docker Image with the Registry Tag: Navigate to the directory containing your Dockerfile and run the following command, replacing the placeholders with your actual values and choosing a tag for your image (e.g., 0.0.1):

    1docker build -t [LOCATION]-docker.pkg.dev/[PROJECT_ID]/[REPOSITORY_NAME]/echo-app:0.0.1 .
    • [LOCATION]-docker.pkg.dev/[PROJECT_ID]/[REPOSITORY_NAME]: Your Artifact Registry signature.
    • echo-app:0.0.1: The name you want to give your image within the repository and its tag (version).

    For our example:

    1docker build -t us-central1-docker.pkg.dev/my-gcp-project/my-public-repo/echo-app:0.0.1 .

  2. Push the Image to Artifact Registry: Push the tagged image to your newly created repository:

    1docker push [LOCATION]-docker.pkg.dev/[PROJECT_ID]/[REPOSITORY_NAME]/echo-app:0.0.1

    For our example:

    1docker push us-central1-docker.pkg.dev/my-gcp-project/my-public-repo/echo-app:0.0.1

    You might be prompted to enable the Artifact Registry API if you haven't already. Follow the instructions provided in the gcloud output.

Step 4: Grant Public Access to the Artifact Registry

By default, Artifact Registry is private, and access is controlled through Identity and Access Management (IAM). To make your registry publicly accessible for pulling images, you need to grant the roles/artifactregistry.reader role to the special principal allUsers.

  1. Make the Repository Public: Execute the following gcloud command, replacing REPOSITORY_NAME, LOCATION, and PROJECT_ID with your values:

    1gcloud artifacts repositories add-iam-policy-binding REPOSITORY_NAME \
2    --location=LOCATION \
3    --member="allUsers" \
4    --role="roles/artifactregistry.reader" \
5    --project=PROJECT_ID

    For our example:

    1gcloud artifacts repositories add-iam-policy-binding my-public-repo \
2    --location=us-central1 \
3    --member="allUsers" \
4    --role="roles/artifactregistry.reader" \
5    --project=my-gcp-project

    This command grants the artifactregistry.reader role to allUsers on the specified repository. This means anyone can now pull images from this repository.

Understanding Access Control (IAM)

Artifact Registry uses IAM to manage access to your repositories and the artifacts within them.

  • Private by Default: By default, only members (users, groups, service accounts) within your Google Cloud project have access to your Artifact Registry.
  • Granular Permissions: You can grant specific roles to different members to control their level of access. Common roles include:
    • roles/artifactregistry.writer: Allows users to push, pull, and manage artifacts.
    • roles/artifactregistry.reader: Allows users to pull artifacts.
  • Public Access with allUsers: Adding the roles/artifactregistry.reader role to the allUsers principal removes the authentication requirement for pulling images from that specific repository.

Step 5: Verify Public Access (Optional)

To verify that your registry is now public, you can try to pull the image from a machine or environment that is not authenticated to your Google Cloud project.

1docker pull [LOCATION]-docker.pkg.dev/[PROJECT_ID]/[REPOSITORY_NAME]/echo-app:0.0.1

For example:

1docker pull us-central1-docker.pkg.dev/my-gcp-project/my-public-repo/echo-app:0.0.1

If the pull is successful without requiring any Google Cloud credentials, your public registry is set up correctly.

Conclusion

You have now successfully created a public Docker container registry using Google Cloud Artifact Registry. This allows you to easily share your container images with a wider audience. Remember to carefully consider the implications of making a registry public and ensure that you only store images that are intended for public consumption. For more fine-grained access control, you can always manage permissions using individual users, groups, or service accounts within your Google Cloud project.