Se você desativar a concessão automática de papéis, precisará decidir quais papéis conceder às contas de serviço
padrão e, em seguida, conceder esses papéis
por conta própria.
Se a conta de serviço padrão já tiver o papel de Editor, recomendamos que você o substitua
por papéis menos permissivos.Para modificar com segurança os papéis da conta de serviço, use o Simulador de política para conferir o impacto da
mudança e, em seguida, conceda e revogue os
papéis apropriados.
Confira alguns exemplos de escopos de acesso e papéis obrigatórios para diferentes
cenários:
Para extrair imagens de contêiner dos repositórios do Artifact Registry, é necessário
conceder à conta de serviço do Compute Engine o papel de leitor do Artifact Registry (roles/artifactregistry.reader). Além disso, verifique se o
escopo de acessoread-only está definido
para os buckets do Cloud Storage.
Você quer que a instância de VM seja carregada em repositórios. Nesse caso, é preciso
configurar um escopo de acesso
com acesso de gravação ao armazenamento: read-write, cloud-platform ou
full-control.
A instância de VM está em um projeto diferente dos repositórios que você quer
acessar. No projeto com os repositórios, conceda
as permissões necessárias à conta de serviço da instância.
Os repositórios estão no mesmo projeto, mas você não quer
que a conta de serviço padrão tenha o mesmo nível de acesso em todos os
repositórios. Nesse caso, você precisa conceder as permissões apropriadas no
nível do repositório e revogar as permissões do Artifact Registry no
nível do projeto.
A VM está associada a uma conta de serviço personalizada. Verifique se a conta de
serviço tem as permissões necessárias e o escopo de acesso.
Você está usando papéis personalizados para conceder permissões e eles não
incluem as permissões obrigatórias do Artifact Registry. Adicione as
permissões obrigatórias ao papel.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-18 UTC."],[[["\u003cp\u003eCompute Engine can directly pull containers from Artifact Registry repositories.\u003c/p\u003e\n"],["\u003cp\u003eThe Compute Engine service account requires Artifact Registry access to pull container images.\u003c/p\u003e\n"],["\u003cp\u003eDisabling the automatic Editor role grant for the default service account is recommended and may require you to manually grant specific roles.\u003c/p\u003e\n"],["\u003cp\u003eTo pull images, the service account needs the Artifact Registry Reader role, and \u003ccode\u003eread-only\u003c/code\u003e access scope should be set for Cloud Storage.\u003c/p\u003e\n"],["\u003cp\u003eWhen working with multiple projects, or custom service accounts, ensure the appropriate permissions and access scopes are configured for the specific account.\u003c/p\u003e\n"]]],[],null,["# Deploying to Compute Engine\n\nCompute Engine can pull containers directly from Artifact Registry\nrepositories.\n\nRequired permissions\n--------------------\n\nThe Compute Engine service account needs access to Artifact Registry in\norder to pull container images.\n\n\nDepending on your organization policy configuration, the default service account might\nautomatically be granted the [Editor role](/iam/docs/roles-overview#basic) on your\nproject. We strongly recommend that you disable the automatic role grant by [enforcing the `iam.automaticIamGrantsForDefaultServiceAccounts` organization policy\nconstraint](/resource-manager/docs/organization-policy/restricting-service-accounts#disable_service_account_default_grants). If you created your organization after May 3, 2024, this\nconstraint is enforced by default.\n\n\nIf you disable the automatic role grant, you must decide which roles to grant to the default\nservice accounts, and then [grant these\nroles](/iam/docs/granting-changing-revoking-access) yourself.\n\n\nIf the default service account already has the Editor role, we recommend that you replace the\nEditor role with less permissive roles.To safely modify the service account's roles, use [Policy Simulator](/policy-intelligence/docs/simulate-iam-policies) to see the impact of\nthe change, and then [grant and revoke the\nappropriate roles](/iam/docs/granting-changing-revoking-access).\n\n\u003cbr /\u003e\n\nSome examples of required access scopes and required roles for different\nscenarios are as follows:\n\n- To pull container images from Artifact Registry repositories, you must grant the Compute Engine service account the Artifact Registry Reader role (`roles/artifactregistry.reader`). Additionally, ensure the `read-only` [access scope](/storage/docs/oauth-scopes) is set for Cloud Storage storage buckets.\n- You want the VM instance to upload to repositories. In this case, you must configure an [access scope](/storage/docs/oauth-scopes) with write access to storage: `read-write`, `cloud-platform`, or `full-control`.\n- The VM instance is in a different project than the repositories that you want to access. In the project with the repositories, [grant](/artifact-registry/docs/access-control#grant) the required permissions to the instance's service account.\n- The repositories are in the same project, but you don't want the default service account to have the same level of access across all repositories. In this case, you must grant the appropriate permissions at the repository level and revoke the Artifact Registry permissions at the project level.\n- The VM is associated with a custom service account. Ensure that the service account has the required permissions and access scope.\n- You are using custom roles to grant permissions and the custom role does not include the required Artifact Registry permissions. Add the required [permissions](/artifact-registry/docs/access-control#permissions) to the role."]]
