The Artifact Registry Service Agent acts on behalf of Artifact Registry when interacting with Google Cloud services.
After you create the first Artifact Registry repository in a Google Cloud project, the Artifact Registry Service Agent is automatically created. The service agent identifier is:
service- PROJECT-NUMBER
@gcp-sa-artifactregistry.iam.gserviceaccount.com
PROJECT-NUMBER is the project number of the Google Cloud project where Artifact Registry is running.
You can manually create the service account in a project without any repositories with the command:
gcloud
beta
services
identity
create
\
--service =
artifactregistry.googleapis.com
\
--project =
PROJECT-ID
Replace PROJECT-ID
with the Google Cloud project ID.
The Artifact Registry Service Agent is granted the Artifact Registry
Service Agent role ( roles/artifactregistry.serviceAgent
) for resources in the
project. To enforce the security principle of least privilege, the role only
has the minimum required permissions:
- Publish Pub/Sub topics:
pubsub.topics.publish - Download artifacts from Artifact Registry repositories:
artifactregistry.repositories.downloadArtifacts - Delete artifacts:
artifactregistry.versions.delete
What's next
Learn about Artifact Registry roles and configuring access to repositories .
