Container Registry is deprecated. Effective March 18, 2025, Container Registry is shut down and writing images to Container Registry is unavailable.
For more information about the Container Registry deprecation and how to migrate to Artifact Registry, see Container Registry deprecation .

Container Registry service account

The Container Registry Service Agent is a Google-managed service account that acts on behalf of Container Registry when interacting with Google Cloud services.

To enforce the security principle of least privilege, this service account is granted the Container Registry Service Agent role in projects where the Container Registry API was enabled after October 5, 2020. This role has the following permissions:

Publish topics: pubsub.topics.publish
Read storage object ACLs: storage.objects.getIamPolicy
Read storage object data and metadata: storage.objects.get
List storage objects in a bucket and read object metadata: storage.objects.list

Previously, the Container Registry service account was granted the Editor role. Since the Editor role grants permissions to create and delete most resources in a project, we recommend restricting permissions if your Container Registry service account has this role.

Finding the service account ID

The Container Registry service account has the following ID:

 service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com

To find the service account, look at the list of principals that have access to your project.

Console

Go to the IAM page .
To add Google-managed accounts to the list of principals, select the Include Google-provided role grantscheck box.
To filter the list, enter containerregistry in the Filterfield.

gcloud

Run the following command to list principals that contain the string containerregistry :

 gcloud  
projects  
get-iam-policy  
 PROJECT-ID 
  
 \ 
  
--flatten = 
 "bindings[].members" 
  
--filter = 
 "containerregistry"

Replace PROJECT-ID with your Google Cloud project ID.

Verifying current permissions

To verify the current permissions of your Container Registry service account, run the command:

 gcloud  
projects  
get-iam-policy  
 PROJECT-ID 
  
 \ 
  
--flatten = 
 "bindings[].members" 
  
 \ 
  
--format = 
 'table(bindings.role)' 
  
 \ 
  
--filter = 
 "bindings.members:service- PROJECT-NUMBER 
@containerregistry.iam.gserviceaccount.com"

Where

PROJECT-ID is the Google Cloud project ID.
PROJECT-NUMBER is the Google Cloud project number.

You can obtain the project ID and project number in the Google Cloud console or with the following commands:

  PROJECT 
 = 
 $( 
gcloud  
config  
get-value  
project ) 
 echo 
  
 $PROJECT 
 && 
gcloud  
projects  
list  
--filter = 
 " 
 $PROJECT 
 " 
  
--format = 
 "value(PROJECT_NUMBER)"

Changing permissions

To grant the Container Registry Service Agent role and revoke the Editor role:

Grant the Container Registry Service Agent role with the following command:

 gcloud  
projects  
add-iam-policy-binding  
 PROJECT-ID 
  
 \ 
--member = 
serviceAccount:service- PROJECT-NUMBER 
@containerregistry.iam.gserviceaccount.com  
--role = 
roles/containerregistry.ServiceAgent

Revoke the Editor role with the following command:

 gcloud  
projects  
remove-iam-policy-binding  
 PROJECT-ID 
  
 \ 
--member = 
serviceAccount:service- PROJECT-NUMBER 
@containerregistry.iam.gserviceaccount.com  
--role = 
roles/editor

Container Registry service account Stay organized with collections Save and categorize content based on your preferences.