7

I'd like to configure our company container registry on GCP to:

  • Allow staff to push new images with new tags
  • Not allow existing tags to be replaced

The goal is to avoid using latest tag - or any other mutable tag - and consistently use new, immutable tags for new images.

Is there a set of IAM roles or permissions that can achieve this behaviour?

James Healy
  • 14,557
  • 4
  • 33
  • 43
  • I am not sure with this comment. GCR permissions are Cloud Storage permissions. Cloud Storage supports two features: Bucker Lock and Versioning. Bucket lock will prevent objects from being deleted which means also prevents overwriting for X period of time. Versioning prevents objects from being deleted as a side effect of creating object versions. Maybe this will give some hints to someone that can investigate this further. – John Hanley Jul 03 '19 at 04:03
  • Have you found a way to organize it? It seems GCR does not support it, while ECR (Amazon) does: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html. – Anton Daneyko Jul 15 '22 at 15:48
  • There is an open request for that feature in Google issue tracker https://issuetracker.google.com/issues/143836686 – Anton Daneyko Jul 15 '22 at 15:52

1 Answers1

0

You don't have to use IAM roles. It should be Service Account. You need to create a service account, set GCR Editor role for it, download JSON file then send it to your staffs.

A service account JSON key file is a long-lived credential that is scoped to a specific GCP Console project and its resources.

The service account you use to push and pull images must be correctly configured with the required permissions and access scope for interaction with Container Registry.

Service accounts automatically created by GCP, such as the Container Registry service account, are granted the read-write Editor role for the parent project. The Compute Engine default service account is configured with read-only access to storage within the same project. You may wish to grant other service accounts more specific permissions. Pushing and pulling images across projects requires proper configuration of both permissions and access scopes on the service account that interacts with Container Registry.

For more information about the required service account permissions and scopes to push and pull images, refer to the requirements for using Container Registry with Google Cloud Platform.

Le Khiem
  • 793
  • 6
  • 9
  • 2
    How does your answer limit which GCR image tags you can write to? Note "Project Editor role" is an IAM Role. GCR Editor role does not exist. A Project Editor can overwrite any GCR image. One item in the question is "Not allow existing tags to be replaced". – John Hanley Jul 03 '19 at 03:56
  • 1
    Oh sorry for missing it, "Not allow existing tags to be replaced" - no role you can set for this purpose. There is no permission to only allow it to push to GCR. The minimum permission (IAM role) to allow push is "Storage Admin" based on current implementation. – Le Khiem Jul 03 '19 at 04:06
  • 2
    Thanks for clarifying in the comments - it's a shame there's no way to avoid mutating tags – James Healy Jul 03 '19 at 04:58