This document describes how to authenticate to upstream sources for your Artifact Registry remote repositories.
This document assumes you have already created an Artifact Registry remote repository, and have an account with the external source.
For more information on remote repositories, see the Remote repositories overview.
Required roles
To get the permissions that you need to configure authentication to upstream sources for remote repositories, ask your administrator to grant you the following IAM roles on the project:
-
Artifact Registry Admin (
roles/artifactregistry.admin
) -
Secret Manager Admin (
roles/secretmanager.admin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Preset upstream sources
To configure authentication for preset upstream sources, see the corresponding guidance for each upstream that follows:
User-defined upstream sources
To configure authentication for user-defined upstream sources, complete the following steps.
Save your access token in a secret
- Create an access token in the private registry.
- Create a secret in Secret Manager.
- Save your personal access token as a secret version.
Grant the Artifact Registry service account access to your secret
The Artifact Registry service agent acts on behalf of Artifact Registry when interacting with Google Cloud services. To allow the service agent to use secrets stored in Secret Manager, you must grant the service agent permission to view your secret version.
The service agent identifier is:
service-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com
PROJECT-NUMBER is the project number of the Google Cloud project where Artifact Registry is running.
To grant the Artifact Registry service agent the Secret Manager Secret Accessor role:
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click the checkbox next to the name of the secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, click Add Principal.
-
In the New principals text area, enter the email address(es) of the members to add.
-
In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.
gcloud
$ gcloud secrets add-iam-policy-binding secret-id \
--member="member" \
--role="roles/secretmanager.secretAccessor"
Where member is an IAM member, such as a user, group, or service account.
C#
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
API
Note: Unlike the other examples, this replaces the entire IAM policy.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:setIamPolicy" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{\"policy\": {\"bindings\": [{\"members\": [\"member\"], \"role\": \"roles/secretmanager.secretAccessor\"}]}}"
For more information on granting or revoking access to secrets, see Manage access to secrets.
Add upstream credentials to your remote repository
To update your remote repository with your upstream source credentials:
Console
Open the Repositories page in the Google Cloud console.
In the repository list, select the repository and click Edit Repository.
In the Remote repository authentication mode section, update or add your upstream source username and the secret containing your access token.
gcloud CLI
To update your remote repository with your upstream source credentials, run the following command:
gcloud artifacts repositories update REPOSITORY \
--project=PROJECT_ID \
--location=LOCATION \
--remote-username=USERNAME \
--remote-password-secret-version=projects/SECRET_PROJECT_ID/secrets/SECRET_ID/versions/SECRET_VERSION
Replace the following:
REPOSITORY
with the name of your Artifact Registry remote repository.PROJECT_ID
with your Google Cloud project ID.LOCATION
with the regional or multi-regional location for the repository. You can omit this flag if you set a default. To view a list of supported locations, run the commandgcloud artifacts locations list
.USERNAME
with your upstream source username.SECRET_PROJECT_ID
with the project ID of the project in which you created your secret.SECRET_ID
with the name you gave your secret.SECRET_VERSION
with the secret version you saved your access token in.
Your credentials are used the next time the remote repository sends a request for an artifact from the upstream source.
What's next
- Create cleanup policies to clean up unneeded artifacts.