GCP Container Registry
GCP Container Registry integration allows your product to access and fetch container repositories, list container images, view tags, and gather metadata stored in Google Container Registry (GCR) or Artifact Registry. This integration helps in vulnerability scanning, image inventory, and compliance monitoring across containerized environments.
Credentials Needed
You'll need credentials from a Google Cloud Service Account that has permission to read container images and repositories.
Required credentials:
- Service Account JSON Key File (contains:
project_id,client_email,private_key, etc.)
This key enables secure authentication with GCP's Container Registry and Artifact Registry APIs.
Permissions Needed
To read container image data and metadata from GCR or Artifact Registry, the service account must have read-only permissions.
Required Roles
| Role | Purpose |
|---|---|
Storage Object Viewer (roles/storage.objectViewer) | Allows read access to images stored in GCR buckets (artifacts.<region>.gcr.io, gcr.io, etc.). |
Artifact Registry Reader (roles/artifactregistry.reader) | Grants permission to list repositories, images, and tags in Artifact Registry. |
Viewer (roles/viewer) (Optional) | Read access to general project metadata. |
Key Permissions These Roles Cover
artifactregistry.repositories.listartifactregistry.repositories.getartifactregistry.dockerimages.liststorage.objects.liststorage.objects.getresourcemanager.projects.get
Creating Users / Service Account in GCP
Step 1: Create a Service Account
- Go to GCP Console → IAM & Admin → Service Accounts
- Click + CREATE SERVICE ACCOUNT
- Enter a name (e.g.,
gcr-integration-sa) - Click Create and Continue
Step 2: Assign Roles
- Under Grant this service account access to project, click + Add Another Role
- Add:
Storage Object ViewerArtifact Registry Reader- (Optional)
Viewer
- Click Continue → Done
Step 3: Create and Download JSON Key
- Select the created Service Account
- Go to Keys → Add Key → Create new key
- Choose JSON format
- Download and securely store the file (e.g.,
gcp-gcr-key.json)
Test Connectivity
You can verify access using the gcloud CLI:
# Authenticate using the Service Account key
gcloud auth activate-service-account --key-file=gcp-gcr-key.json
# Verify authentication
gcloud auth list
# Set the project
gcloud config set project <PROJECT_ID>
# List repositories in Artifact Registry
gcloud artifacts repositories list --location=<REGION>
# List Docker images in Artifact Registry
gcloud artifacts docker images list <REGION>-docker.pkg.dev/<PROJECT_ID>/<REPOSITORY_NAME>
# For GCR (legacy registry), list images
gcloud container images list --repository=gcr.io/<PROJECT_ID>
If these commands successfully return repository and image data, your credentials and permissions are correctly configured.
Save the Results in the Platform and Create Connection
- In your platform's integrations section, securely upload or reference the Service Account JSON Key.
- Store securely in your platform's vault:
project_idclient_emailprivate_key
- Create a new connector labeled GCP Container Registry Integration.
- Test the connection by fetching repository and image metadata.
Best Practices
- Use Artifact Registry over the older Container Registry for newer workloads — it's the preferred and actively maintained service.
- Always follow the principle of least privilege — assign only
Storage Object ViewerandArtifact Registry Readerroles. - Store your Service Account key securely using Google Secret Manager or your product's encrypted vault.
- Rotate JSON keys periodically or use Workload Identity Federation to eliminate static keys.
- Limit role assignments to specific projects or repositories if possible.
- Enable Cloud Audit Logs for
artifactregistry.googleapis.comandstorage.googleapis.comto track all access activity. - Regularly validate credentials and ensure that the service account key hasn't expired or been revoked.