✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.3.2.1 GAR IAM Integration

A focused guide to GAR IAM Integration, connecting core concepts with practical Docker and container operations.

GAR IAM integration uses Google Cloud's Identity and Access Management system to control who can push to and pull from an Artifact Registry repository, mirroring how ECR integrates with AWS IAM, granting registry access through the same permission system governing the rest of a Google Cloud project's resources.

Granting Repository Access Through IAM

Permissions for a specific Artifact Registry repository are granted using standard Google Cloud IAM role bindings.

gcloud artifacts repositories add-iam-policy-binding myapp-repo \
  --location=us-central1 \
  --member=serviceAccount:ci-deployer@my-project.iam.gserviceaccount.com \
  --role=roles/artifactregistry.writer

This grants a specific service account write access (the ability to push) to this particular repository, without granting any broader access across the project.

Using a Predefined Role for Read-Only Access

A more limited role can be granted to an identity that only needs to pull images, not publish them.

gcloud artifacts repositories add-iam-policy-binding myapp-repo \
  --location=us-central1 \
  --member=serviceAccount:gke-node@my-project.iam.gserviceaccount.com \
  --role=roles/artifactregistry.reader
Why This Integration Avoids a Separate Credential System

A Google Cloud compute resource granted appropriate IAM permissions can authenticate to Artifact Registry automatically, without needing a separately issued, manually managed registry credential.

gcloud auth configure-docker us-central1-docker.pkg.dev

This configures Docker to use the currently active Google Cloud credentials for authentication, rather than requiring a distinct login process specific to the registry.

Auditing Current Access Grants

Reviewing a repository's current IAM policy confirms exactly which identities have been granted what level of access.

gcloud artifacts repositories get-iam-policy myapp-repo --location=us-central1
Why GAR IAM Integration Matters

Managing Artifact Registry access through Google Cloud's standard IAM system keeps registry permissions consistent with how every other resource in a Google Cloud project is governed, simplifying both initial setup and ongoing access management.

Related content