Toinitializethe gcloud CLI, run the following command:
gcloudinit
Required roles
To get the permissions that
you need to find Container Registry usage in your Google Cloud project, folder, or organization,
ask your administrator to grant you the
following IAM roles:
Cloud Asset Viewer(roles/cloudasset.viewer)
on the Google Cloud project, folder or organization
Storage Object Viewer(roles/storage.objectViewer)
on the Google Cloud project, folder or organization
WherePROJECTis your Google Cloud project ID. For information on
how to find your project
ID, seeIdentifying projects.
The tool returns a list of your host locations for the specified project, and
their usage state. The usage states are defined as follows:
ACTIVE: Container Registry usage has occurred in the last 30 days. The host
location and project are not redirected.
INACTIVE: No Container Registry usage has occurred in the last 30 days. The
host location and project are not redirected.
REDIRECTED: the project has been redirected to Artifact Registry but still
has Container Registry Cloud Storage buckets. This
project will continue to function after Container Registry is turned down and
no further action is required. You can reduce costs by deleting the
Container Registry Cloud Storage buckets.
REDIRECTION_INCOMPLETE: requests are redirected to Artifact Registry, but
data is still being copied from Container Registry.
LEGACY: Container Registry usage is unknown. This state is caused by legacy
Container Registry projects that store container image metadata files in
Cloud Storage buckets. For more information on legacy Container Registry
projects, seeContainer image metadata storage change.
If the tool encounters errors, such as missing permissions to view the
Cloud Storage bucket or Container Registry project, then you will see an error
message similar to the following:
WhereFOLDERis your Google Cloud folder ID. For information on how
to list folders in your organization, seeList folders.
The tool returns the following lists of usage states:
ACTIVE: Container Registry usage has occurred in the last 30 days. The host
location and project are not redirected.
INACTIVE: No Container Registry usage has occurred in the last 30 days. The
host location and project are not redirected.
REDIRECTED: the project has been redirected to Artifact Registry but still
has Container Registry Cloud Storage buckets. This
project will continue to function after Container Registry is turned down and
no further action is required. You can reduce costs by deleting the
Container Registry Cloud Storage buckets.
REDIRECTION_INCOMPLETE: requests are redirected to Artifact Registry, but
data is still being copied from Container Registry.
LEGACY: Container Registry usage is unknown. This state is caused by legacy
Container Registry projects that store container image metadata files in
Cloud Storage buckets. For more information on legacy Container Registry
projects, seeContainer image metadata storage change.
If the tool encounters errors, such as missing permissions to view the
Cloud Storage bucket or Container Registry project, then you will see an error
message similar to the following:
WhereORGANIZATIONis your Google Cloud organization ID. For
information about how to find your organization ID, seeGetting your organization resource ID.
The tool returns the following lists of usage states:
ACTIVE: Container Registry usage has occurred in the last 30 days. The host
location and project are not redirected.
INACTIVE: No Container Registry usage has occurred in the last 30 days. The
host location and project are not redirected.
REDIRECTED: the project has been redirected to Artifact Registry but still
has Container Registry Cloud Storage buckets. This
project will continue to function after Container Registry is turned down and
no further action is required. You can reduce costs by deleting the
Container Registry Cloud Storage buckets.
REDIRECTION_INCOMPLETE: requests are redirected to Artifact Registry, but
data is still being copied from Container Registry.
LEGACY: Container Registry usage is unknown. This state is caused by legacy
Container Registry projects that store container image metadata files in
Cloud Storage buckets. For more information on legacy Container Registry
projects, seeContainer image metadata storage change.
If the tool encounters errors, such as missing permissions to view the
Cloud Storage bucket or Container Registry project, then you will see an error
message similar to the following:
To control which resource items are listed, pass the--filter=EXPRESSIONflag. If the expression evaluates to true
for a given item, then that item is listed.
To list all active Container Registry usage in your organization, you can filter
by active usage:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis tool checks for Container Registry usage within a specified Google Cloud project, folder, or organization.\u003c/p\u003e\n"],["\u003cp\u003eTo use the tool, the gcloud CLI needs to be installed and initialized, and the user needs Cloud Asset Viewer and Storage Object Viewer IAM roles.\u003c/p\u003e\n"],["\u003cp\u003eThe tool can output several usage states, including \u003ccode\u003eACTIVE\u003c/code\u003e, \u003ccode\u003eINACTIVE\u003c/code\u003e, \u003ccode\u003eREDIRECTED\u003c/code\u003e, \u003ccode\u003eREDIRECTION_INCOMPLETE\u003c/code\u003e, and \u003ccode\u003eLEGACY\u003c/code\u003e, that describe the Container Registry's usage and status.\u003c/p\u003e\n"],["\u003cp\u003eYou can filter the results of the tool by usage state to see, for example, all active usage or all projects not yet redirected.\u003c/p\u003e\n"],["\u003cp\u003eThe tool indicates errors if there are permission issues with listing Cloud Storage buckets or Container Registry project.\u003c/p\u003e\n"]]],[],null,["Run this tool to determine if there is Container Registry usage within your\nGoogle Cloud project, folder, or organization.\n\nBefore you begin\n\n1.\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n2. If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n3.\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n\u003cbr /\u003e\n\nRequired roles\n\n\nTo get the permissions that\nyou need to find Container Registry usage in your Google Cloud project, folder, or organization,\n\nask your administrator to grant you the\nfollowing IAM roles:\n\n- [Cloud Asset Viewer](/iam/docs/roles-permissions/cloudasset#cloudasset.viewer) (`roles/cloudasset.viewer`) on the Google Cloud project, folder or organization\n- [Storage Object Viewer](/iam/docs/roles-permissions/storage#storage.objectViewer) (`roles/storage.objectViewer`) on the Google Cloud project, folder or organization\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nFind Container Registry usage\n\nYou can run the tool scoped to a single Google Cloud project, folder, or\norganization. \n\nproject\n\nRun the following command to find any Container Registry usage in your\nGoogle Cloud project. \n\n gcloud container images list-gcr-usage \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\nWhere \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e is your Google Cloud project ID. For information on\nhow to find your project\nID, see [Identifying projects](/resource-manager/docs/creating-managing-projects#identifying_projects).\n\nThe tool returns a list of your host locations for the specified project, and\ntheir usage state. The usage states are defined as follows:\n\n\n- `ACTIVE`: Container Registry usage has occurred in the last 30 days. The host location and project are not redirected.\n- `INACTIVE`: No Container Registry usage has occurred in the last 30 days. The host location and project are not redirected.\n- `REDIRECTED`: the project has been redirected to Artifact Registry but still has Container Registry Cloud Storage buckets. This project will continue to function after Container Registry is turned down and no further action is required. You can reduce costs by deleting the Container Registry Cloud Storage buckets.\n- `REDIRECTION_INCOMPLETE`: requests are redirected to Artifact Registry, but data is still being copied from Container Registry.\n- `LEGACY`: Container Registry usage is unknown. This state is caused by legacy Container Registry projects that store container image metadata files in Cloud Storage buckets. For more information on legacy Container Registry projects, see [Container image metadata storage change](/container-registry/docs/deprecations/feature-deprecations#container_image_metadata_storage_change).\n\nIf the tool encounters errors, such as missing permissions to view the\nCloud Storage bucket or Container Registry project, then you will see an error\nmessage similar to the following: \n\n repository: us.gcr.io/my-project\n usage: |-\n response: {'status': 401}\n Operation on project 'no-gcr-permission' failed. Caller does not have permission 'storage.objects.list'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control: None\n\n\u003cbr /\u003e\n\nfolder\n\nRun the following command to find any Container Registry usage in your\nGoogle Cloud folder. \n\n gcloud container images list-gcr-usage \\\n --folder=\u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e\n\nWhere \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e is your Google Cloud folder ID. For information on how\nto list folders in your organization, see\n[List folders](/resource-manager/docs/creating-managing-folders#list).\n\nThe tool returns the following lists of usage states:\n\n\n- `ACTIVE`: Container Registry usage has occurred in the last 30 days. The host location and project are not redirected.\n- `INACTIVE`: No Container Registry usage has occurred in the last 30 days. The host location and project are not redirected.\n- `REDIRECTED`: the project has been redirected to Artifact Registry but still has Container Registry Cloud Storage buckets. This project will continue to function after Container Registry is turned down and no further action is required. You can reduce costs by deleting the Container Registry Cloud Storage buckets.\n- `REDIRECTION_INCOMPLETE`: requests are redirected to Artifact Registry, but data is still being copied from Container Registry.\n- `LEGACY`: Container Registry usage is unknown. This state is caused by legacy Container Registry projects that store container image metadata files in Cloud Storage buckets. For more information on legacy Container Registry projects, see [Container image metadata storage change](/container-registry/docs/deprecations/feature-deprecations#container_image_metadata_storage_change).\n\nIf the tool encounters errors, such as missing permissions to view the\nCloud Storage bucket or Container Registry project, then you will see an error\nmessage similar to the following: \n\n repository: us.gcr.io/my-project\n usage: |-\n response: {'status': 401}\n Operation on project 'no-gcr-permission' failed. Caller does not have permission 'storage.objects.list'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control: None\n\n\u003cbr /\u003e\n\norganization\n\nRun the following command to find any Container Registry usage in your\nGoogle Cloud organization. \n\n gcloud container images list-gcr-usage \\\n --organization=\u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e\n\nWhere \u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e is your Google Cloud organization ID. For\ninformation about how to find your organization ID, see\n[Getting your organization resource ID](/resource-manager/docs/creating-managing-organization#retrieving_your_organization_id).\n\nThe tool returns the following lists of usage states:\n\n\n- `ACTIVE`: Container Registry usage has occurred in the last 30 days. The host location and project are not redirected.\n- `INACTIVE`: No Container Registry usage has occurred in the last 30 days. The host location and project are not redirected.\n- `REDIRECTED`: the project has been redirected to Artifact Registry but still has Container Registry Cloud Storage buckets. This project will continue to function after Container Registry is turned down and no further action is required. You can reduce costs by deleting the Container Registry Cloud Storage buckets.\n- `REDIRECTION_INCOMPLETE`: requests are redirected to Artifact Registry, but data is still being copied from Container Registry.\n- `LEGACY`: Container Registry usage is unknown. This state is caused by legacy Container Registry projects that store container image metadata files in Cloud Storage buckets. For more information on legacy Container Registry projects, see [Container image metadata storage change](/container-registry/docs/deprecations/feature-deprecations#container_image_metadata_storage_change).\n\nIf the tool encounters errors, such as missing permissions to view the\nCloud Storage bucket or Container Registry project, then you will see an error\nmessage similar to the following: \n\n repository: us.gcr.io/my-project\n usage: |-\n response: {'status': 401}\n Operation on project 'no-gcr-permission' failed. Caller does not have permission 'storage.objects.list'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control: None\n\n\u003cbr /\u003e\n\nFilter results\n\nTo control which resource items are listed, pass the\n`--filter=`\u003cvar translate=\"no\"\u003eEXPRESSION\u003c/var\u003e flag. If the expression evaluates to true\nfor a given item, then that item is listed.\n\nTo list all active Container Registry usage in your organization, you can filter\nby active usage: \n\n gcloud container images list-gcr-usage \\\n --organization=\u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e \\\n --filter=\"usage=ACTIVE\"\n\nTo find all projects that aren't redirected yet, you can filter by\n`usage!=REDIRECTED`: \n\n gcloud container images list-gcr-usage \\\n --organization=\u003cvar translate=\"no\"\u003eORGANIZATION\u003c/var\u003e \\\n --filter=\"usage!=REDIRECTED\"\n\nFor more information on filter\nexpressions, run `gcloud topic filters` or read the\n[reference documentation](/sdk/gcloud/reference/topic/filters).\n\nWhat's next\n\n- Determine the [transition option](/artifact-registry/docs/transition/transition-from-gcr#transition-options) you want to take.\n- Use the [automatic migration tool](/artifact-registry/docs/transition/auto-migrate-gcr-ar) to transition to Artifact Registry."]]
