Stay organized with collectionsSave and categorize content based on your preferences.
The Artifact Registry Service Agent acts on behalf of
Artifact Registry when interacting with Google Cloud services.
After you create the first Artifact Registry repository in a
Google Cloud project, the Artifact Registry Service Agent
is automatically created. The service agent identifier is:
ReplacePROJECT-IDwith the Google Cloud project ID.
The Artifact Registry Service Agent is granted the Artifact Registry
Service Agent role (roles/artifactregistry.serviceAgent) for resources in the
project. To enforce the security principle of least privilege, the role only
has the minimum required permissions:
Publish Pub/Sub topics:pubsub.topics.publish
Download artifacts from Artifact Registry repositories:artifactregistry.repositories.downloadArtifacts
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThe Artifact Registry Service Agent operates on behalf of Artifact Registry when interacting with other Google Cloud services.\u003c/p\u003e\n"],["\u003cp\u003eThis service agent is automatically generated upon the creation of the first Artifact Registry repository within a Google Cloud project.\u003c/p\u003e\n"],["\u003cp\u003eThe service agent's identifier is \u003ccode\u003eservice-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com\u003c/code\u003e, where PROJECT-NUMBER represents the project number.\u003c/p\u003e\n"],["\u003cp\u003eThe service agent is granted the Artifact Registry Service Agent role, which includes permissions for publishing Pub/Sub topics, downloading artifacts, and deleting artifacts.\u003c/p\u003e\n"],["\u003cp\u003eYou can manually create the service agent in projects without any repositories using the provided \u003ccode\u003egcloud\u003c/code\u003e command.\u003c/p\u003e\n"]]],[],null,["# Artifact Registry Service Agent\n\nThe Artifact Registry Service Agent acts on behalf of\nArtifact Registry when interacting with Google Cloud services.\n\nAfter you create the first Artifact Registry repository in a\nGoogle Cloud project, the Artifact Registry Service Agent\nis automatically created. The service agent identifier is:\n\n`service-`\u003cvar translate=\"no\"\u003ePROJECT-NUMBER\u003c/var\u003e`@gcp-sa-artifactregistry.iam.gserviceaccount.com`\n\n\u003cvar translate=\"no\"\u003ePROJECT-NUMBER\u003c/var\u003e is the [project number](/resource-manager/docs/creating-managing-projects#identifying_projects) of the\nGoogle Cloud project where Artifact Registry is running.\n\nYou can manually create the service account in a project without any\nrepositories with the command: \n\n gcloud beta services identity create \\\n --service=artifactregistry.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e with the Google Cloud project ID.\n\nThe Artifact Registry Service Agent is granted the Artifact Registry\nService Agent role (`roles/artifactregistry.serviceAgent`) for resources in the\nproject. To enforce the security principle of least privilege, the role only\nhas the minimum required permissions:\n\n- Publish Pub/Sub topics: `pubsub.topics.publish`\n- Download artifacts from Artifact Registry repositories: `artifactregistry.repositories.downloadArtifacts`\n- Delete artifacts: `artifactregistry.versions.delete`\n\nWhat's next\n-----------\n\nLearn about\n[Artifact Registry roles and configuring access to repositories](/artifact-registry/docs/access-control)."]]
