Container Registry is deprecated. Effective March 18, 2025, Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry deprecation and how to migrate to Artifact Registry, see Container Registry deprecation.
Stay organized with collections
Save and categorize content based on your preferences.
The Container Registry Service Agent is a Google-managed service account that
acts on behalf of Container Registry when interacting with Google Cloud
services.
To enforce the security principle of least privilege, this service account is
granted the Container Registry Service Agent role in projects where the
Container Registry API was enabled after October 5, 2020. This role has the
following permissions:
Read storage object data and metadata: storage.objects.get
List storage objects in a bucket and read object metadata: storage.objects.list
Previously, the Container Registry service account was granted the
Editor role. Since the Editor role grants
permissions to create and delete most resources in a project, we recommend
restricting permissions if your Container Registry service account has this role.
Finding the service account ID
The Container Registry service account has the following ID:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eThe Container Registry Service Agent is a Google-managed service account that interacts with Google Cloud services on behalf of Container Registry.\u003c/p\u003e\n"],["\u003cp\u003eFor projects where the Container Registry API was enabled after October 5, 2020, the service account is granted the Container Registry Service Agent role, which includes permissions like publishing topics and reading storage data.\u003c/p\u003e\n"],["\u003cp\u003eThe service account ID follows the format: \u003ccode\u003eservice-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com\u003c/code\u003e, and it can be found in the project's IAM page or using the gcloud command-line tool.\u003c/p\u003e\n"],["\u003cp\u003eIt is recommended to verify and change the permissions of the Container Registry service account from the previously assigned Editor role to the Container Registry Service Agent role to enforce the security principle of least privilege.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the provided gcloud commands to verify the current permissions of the service account, and grant or revoke roles as necessary, including the Service Agent and Editor roles.\u003c/p\u003e\n"]]],[],null,["# Container Registry service account\n\nThe Container Registry Service Agent is a Google-managed service account that\nacts on behalf of Container Registry when interacting with Google Cloud\nservices.\n\nTo enforce the security principle of least privilege, this service account is\ngranted the Container Registry Service Agent role in projects where the\nContainer Registry API was enabled after October 5, 2020. This role has the\nfollowing permissions:\n\n- Publish topics: `pubsub.topics.publish`\n- Read storage object ACLs: `storage.objects.getIamPolicy`\n- Read storage object data and metadata: `storage.objects.get`\n- List storage objects in a bucket and read object metadata: `storage.objects.list`\n\nPreviously, the Container Registry service account was granted the\n[Editor](/iam/docs/understanding-roles#basic) role. Since the Editor role grants\npermissions to create and delete most resources in a project, we recommend\nrestricting permissions if your Container Registry service account has this role.\n\nFinding the service account ID\n------------------------------\n\nThe Container Registry service account has the following ID: \n\n service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com\n\nTo find the service account, look at the list of principals that have access\nto your project. \n\n### Console\n\n1. Go to the [IAM page](https://console.cloud.google.com/iam-admin/iam).\n\n2. To add Google-managed accounts to the list of principals, select the\n **Include Google-provided role grants** check box.\n\n3. To filter the list, enter `containerregistry` in the **Filter** field.\n\n### gcloud\n\nRun the following command to list principals that contain the string\n`containerregistry`: \n\n gcloud projects get-iam-policy \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e \\\n --flatten=\"bindings[].members\"\n --filter=\"containerregistry\"\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e with your Google Cloud project ID.\n\nVerifying current permissions\n-----------------------------\n\nTo verify the current permissions of your Container Registry service account,\nrun the command: \n\n gcloud projects get-iam-policy \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e \\\n --flatten=\"bindings[].members\" \\\n --format='table(bindings.role)' \\\n --filter=\"bindings.members:service-\u003cvar translate=\"no\"\u003ePROJECT-NUMBER\u003c/var\u003e@containerregistry.iam.gserviceaccount.com\"\n\nWhere\n\n- \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e is the Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003ePROJECT-NUMBER\u003c/var\u003e is the Google Cloud project number.\n\nYou can obtain the project ID and project number in the\n[Google Cloud console](/resource-manager/docs/creating-managing-projects#identifying_projects)\nor with the following commands: \n\n PROJECT=$(gcloud config get-value project)\n echo $PROJECT && gcloud projects list --filter=\"$PROJECT\" --format=\"value(PROJECT_NUMBER)\"\n\nChanging permissions\n--------------------\n\nTo grant the Container Registry Service Agent role and revoke the Editor role:\n\n1. Grant the Container Registry Service Agent role with the following command:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT-NUMBER\u003c/var\u003e@containerregistry.iam.gserviceaccount.com --role=roles/containerregistry.ServiceAgent\n\n2. Revoke the Editor role with the following command:\n\n gcloud projects remove-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT-NUMBER\u003c/var\u003e@containerregistry.iam.gserviceaccount.com --role=roles/editor"]]
