The Cloud Build default service account has permissions to
push to and pull from Artifact Registry repositories in the same
Google Cloud project unless you have
disabled automatic role granting to default service accounts.
If you are using a Docker client to push and pull images, configure
authentication to Artifact Registry.
Metadata can be any relevant information you want to store that is related to
a container image, including files you can scan or generate with
Artifact Analysis:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eArtifact Registry is capable of storing Docker and OCI container images within a Docker repository.\u003c/p\u003e\n"],["\u003cp\u003eDefault service accounts for Compute Engine, GKE nodes, Cloud Run, and Cloud Build are granted permissions to interact with Artifact Registry repositories in the same project, unless automatic role granting is disabled.\u003c/p\u003e\n"],["\u003cp\u003eDocker clients require authentication configuration to interact with Artifact Registry, enabling image pushing and pulling.\u003c/p\u003e\n"],["\u003cp\u003eArtifact Registry facilitates the management of container metadata, including SBOMs, vulnerability scan results, and build provenance, through attachments and integration with Artifact Analysis.\u003c/p\u003e\n"],["\u003cp\u003ePub/Sub notifications can be configured to alert users of any changes made to their repository, providing real-time updates.\u003c/p\u003e\n"]]],[],null,["# Work with container images\n\nArtifact Registry can store Docker and OCI [container images](/artifact-registry/docs/supported-formats#container)\nin a Docker repository.\n\nTo get familiar with container images in Artifact Registry, you can try the\n[quickstart](/artifact-registry/docs/docker/quickstart).\n\nWhen you are ready to learn more, read the following information:\n\n- [Create a Docker repository](/artifact-registry/docs/repositories/create-repos) for your images.\n- [Grant permissions](/artifact-registry/docs/access-control) to the account that will connect with the repository.\n - The default service account for Compute Engine has permissions to pull from Artifact Registry repositories in the same Google Cloud project unless you have [disabled automatic role granting to default service accounts](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants). The Compute Engine service account is also the [default GKE node service account](/kubernetes-engine/docs/how-to/service-accounts#default-gke-service-agent) and the default [Cloud Run service account](/run/docs/securing/service-identity#default_service_account).\n - The Cloud Build default service account has permissions to push to and pull from Artifact Registry repositories in the same Google Cloud project unless you have disabled automatic role granting to default service accounts.\n- If you are using a Docker client to push and pull images, configure [authentication](/artifact-registry/docs/docker/authentication) to Artifact Registry.\n- Learn about [pushing and pulling images](/artifact-registry/docs/docker/pushing-and-pulling).\n- Learn about [managing images](/artifact-registry/docs/docker/manage-images).\n- Learn how to [manage container metadata](/artifact-registry/docs/docker/manage-metadata) with attachments.\n Attachments are [OCI artifacts](https://github.com/opencontainers/image-spec/blob/main/manifest.md#guidelines-for-artifact-usage) that hold metadata about another\n container image.\n\n Metadata can be any relevant information you want to store that is related to\n a container image, including files you can scan or generate with\n [Artifact Analysis](/artifact-registry/docs/analysis):\n - [Software bill of materials (SBOM)](/artifact-analysis/docs/sbom-overview)\n - [Vulnerability scan results](/artifact-analysis/docs/container-scanning-overview)\n - [Other metadata such as build provenance](/artifact-analysis/docs/metadata-management-overview)\n\n \u003cbr /\u003e\n\n- Set up [Pub/Sub notifications](/artifact-registry/docs/configure-notifications) for changes to your repository.\n- Set up [Artifact Analysis](/artifact-registry/docs/analysis) to manage image metadata and scan for vulnerabilities."]]