Deploying to Compute Engine

Compute Engine can pull containers directly from Artifact Registry repositories.

Required permissions

By default, the Compute Engine service account has Editor permission for resources in the same project and the read-only access scope for Cloud Storage storage buckets.

While the Editor permissions generally grants write access, the read-only access scope limits the VM instance service account to downloading artifacts from repositories in the same project.

You must configure the appropriate permissions and access scopes yourself if you have other requirements. For example:

  • You want the VM instance to upload to repositories. In this case, you must configure an access scope with write access to storage: read-write, cloud-platform, or full-control.
  • The VM instance is in a different project than the repositories that you want to access. In the project with the repositories, grant the required permissions to the instance's service account.
  • The repositories are in the same project, but you do not want the default service account to have the same level of access across all repositories. In this case, you must grant the appropriate permissions at the repository level and revoke the Artifact Registry permissions at the project level.
  • The VM is associated with a custom service account. Ensure that the service account has the required permissions and access scope.
  • You are using custom roles to grant permissions and the custom role does not include the required Artifact Registry permissions. Add the required permissions to the role.