This page describes how to create Artifact Registry standard repositories.
Standard repositories are repositories for your private artifacts. You upload artifacts to and download artifacts directly from these repositories.
Each repository can contain artifacts for a single supported format.
Before you begin
- Enable Artifact Registry, including enabling the Artifact Registry API and installing Google Cloud CLI.
- (Optional) Configure defaults for gcloud commands.
- If you require customer-managed-encryption keys (CMEK) to encrypt repository content, create and enable a key in Cloud KMS for the repository.
Required roles
To get the permissions that
you need to create repositories,
ask your administrator to grant you the
Artifact Registry Administrator (roles/artifactregistry.admin)
IAM role on the Trusted Cloud by S3NS project.
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a standard repository
When you create a repository, you must configure the following settings that cannot be changed after the repository is created:
- Artifact format.
- Repository mode.
- Repository location.
- Encryption with Google Cloud-powered encryption keys or customer-managed encryption keys. Artifact Registry uses Google Cloud-powered encryption keys by default.
Artifact Registry enforces organization policy constraints that require CMEK to encrypt resources or limit which Cloud KMS keys can be used for CMEK protection.
Create a repository using the Trusted Cloud console
Open the Repositories page in the Trusted Cloud console.
Click Create Repository.
Specify the repository name. For each repository location in a project, repository names must be unique.
Select the repository format.
If multiple repository modes are available, select Standard.
Choose the location for the repository. For information about location types and supported locations, see Repository locations
Add a description for the repository. Descriptions help to identify the purpose of the repository and the kind of artifacts it contains.
Don't include sensitive data, since repository descriptions are not encrypted.
If you want to use labels to organize your repositories, click Add Label and enter the key-value pair for the label. You can add, edit, or remove labels after you create the repository.
In the Encryption section, choose the encryption mechanism for the repository.
- Google Cloud-powered encryption key - Encrypt repository content with a Google Cloud-powered encryption key.
Customer-managed key - Encrypt repository content with a key that you control through Cloud Key Management Service. For key setup instructions, see Setting up CMEK for repositories.
For Docker repositories, the Immutable image tags setting configures your repository to use image tags that always point to the same image digest. A user with the Artifact Registry administrator role can change this setting after the repository is created.
- By default this setting is disabled. Image tags are mutable, meaning that the image digest that the tag points to can change.
- If this setting is enabled, image tags are immutable. A tag must always point to the same image digest. To learn more about mutable and immutable image tags, see Container image versions.
Click Create.
Artifact Registry creates the repository and adds it to the list of repositories.
After you have created the repository:
- Grant access to the repository.
Configure Docker and other third-party clients to authenticate to repositories.
Create a repository using the Google Cloud CLI
Run the command to create a new repository.
Apt
gcloud artifacts repositories create REPOSITORY \ --repository-format=apt \ --location=LOCATION \ --description="DESCRIPTION" \ --kms-key=KMS-KEY \ --async
Replace the following:
REPOSITORY: the name of the repository. For each repository location in a project, repository names must be unique.LOCATION: the regional location for the repository. You can omit this flag if you set a default. To view a list of supported locations, run the command:gcloud artifacts locations list
DESCRIPTION: a description of the repository. Don't include sensitive data, since repository descriptions are not encrypted.KMS-KEY: the full path to the Cloud KMS encryption key, if you are using a customer-managed encryption key to encrypt repository contents. The path is in the format:projects/KMS-PROJECT/locations/KMS-LOCATION/keyRings/KEY-RING/cryptoKeys/KEYReplace the following:
KMS-PROJECT: the project where your key is stored.KMS-LOCATION: the location of the key.KEY-RING: the name of the key ring.KEY: the name of the key.
--async: returns immediately, without waiting for the operation in progress to complete.
Docker
gcloud artifacts repositories create REPOSITORY \
--repository-format=docker \
--location=LOCATION \
--description="DESCRIPTION" \
--kms-key=KMS-KEY \
--immutable-tags \
--async \
--disable-vulnerability-scanning
Replace the following:
REPOSITORY: the name of the repository. For each repository location in a project, repository names must be unique.LOCATION: the regional location for the repository. You can omit this flag if you set a default location. To view a list of supported locations, run the command:gcloud artifacts locations list
DESCRIPTION: a description of the repository. Don't include sensitive data, since repository descriptions are not encrypted.KMS-KEY: the full path to the Cloud KMS encryption key, if you are using a customer-managed encryption key to encrypt repository contents. The path is in the format:projects/KMS-PROJECT/locations/KMS-LOCATION/keyRings/KEY-RING/cryptoKeys/KEY
Replace the following:
KMS-PROJECT: the project where your key is stored.KMS-LOCATION: the location of the key.KEY-RING: the name of the key ring.KEY: the name of the key.
--immutable-tagsis an optional flag that configures your repository to use tags that always point to the same image digest.By default, when the
--immutable-tagsflag isn't passed, a tag can be moved to another image digest. To learn more about immutable and mutable image tags, see Container image versions.--asyncreturns immediately, without waiting for the operation in progress to complete.
Yum
gcloud artifacts repositories create REPOSITORY \ --repository-format=yum \ --location=LOCATION \ --description="DESCRIPTION" \ --kms-key=KMS-KEY \ --async
Replace the following:
REPOSITORY: the name of the repository. For each repository location in a project, repository names must be unique.LOCATION: the regional location for the repository. You can omit this flag if you set a default. To view a list of supported locations, run the command:gcloud artifacts locations list
DESCRIPTION: a description of the repository. Don't include sensitive data, since repository descriptions are not encrypted.KMS-KEY: the full path to the Cloud KMS encryption key, if you are using a customer-managed encryption key to encrypt repository contents. The path is in the format:projects/KMS-PROJECT/locations/KMS-LOCATION/keyRings/KEY-RING/cryptoKeys/KEYReplace the following:
KMS-PROJECT: the project where your key is stored.KMS-LOCATION: the location of the key.KEY-RING: the name of the key ring.KEY: the name of the key.
--async: returns immediately, without waiting for the operation in progress to complete.
Artifact Registry creates your repository. Run the following command to view a description of the repository:
gcloud artifacts repositories describe REPOSITORY \
--location=LOCATION
After you have created the repository:
- Grant access to the repository.
Configure Docker and other third-party clients to authenticate to repositories.
Create a repository using Terraform
Use the google_artifact_registry_repository resource
to create repositories.
terraform-provider-google version
5.0.0 or newer is required.
If you are new to using Terraform for Trusted Cloud by S3NS, see the Get Started - Trusted Cloud by S3NS page on the HashiCorp website.
The following example defines the provider and a repository with the
Terraform resource name my-repo.
Apt
provider "google" { project = "PROJECT-ID" }
resource "google_artifact_registry_repository" "my-repo" { location = "LOCATION" repository_id = "REPOSITORY" description = "DESCRIPTION" format = "apt" kms_key_name = "KEY" }
Replace the following:
PROJECT-IDis the Trusted Cloud project ID.LOCATIONis the repository location.REPOSITORYis the repository name.DESCRIPTIONis the optional description for the repository. Do not include sensitive data, since repository descriptions are not encrypted.KEYis the name of the Cloud Key Management Service key, if you are using customer-managed encryption keys (CMEK) for encryption. Omit this argument to use the default setting, Google-managed encryption keys.
Docker
provider "google" { project = "PROJECT-ID" }
resource "google_artifact_registry_repository" "my-repo" { location = "LOCATION" repository_id = "REPOSITORY" description = "DESCRIPTION" format = "docker" kms_key_name = "KEY" }
Replace the following:
PROJECT-IDis the Trusted Cloud project ID.LOCATIONis the repository location.REPOSITORYis the repository name.DESCRIPTIONis the optional description for the repository. Do not include sensitive data, since repository descriptions are not encrypted.KEYis the name of the Cloud Key Management Service key, if you are using customer-managed encryption keys (CMEK) for encryption. Omit this argument to use the default setting, Google-managed encryption keys.
Yum
provider "google" { project = "PROJECT-ID" }
resource "google_artifact_registry_repository" "my-repo" { location = "LOCATION" repository_id = "REPOSITORY" description = "DESCRIPTION" format = "yum" kms_key_name = "KEY" }
Replace the following:
PROJECT-IDis the Trusted Cloud project ID.LOCATIONis the repository location.REPOSITORYis the repository name.DESCRIPTIONis the optional description for the repository. Do not include sensitive data, since repository descriptions are not encrypted.KEYis the name of the Cloud Key Management Service key, if you are using customer-managed encryption keys (CMEK) for encryption. Omit this argument to use the default setting, Google-managed encryption keys.
Artifact Registry creates your repository. Run the following command to view a description of the repository:
gcloud artifacts repositories describe REPOSITORY \
--location=LOCATION
After you have created the repository:
- Grant access to the repository.
Configure Docker and other third-party clients to authenticate to repositories.
Edit repository descriptions
You can change the repository description from Trusted Cloud console or the gcloud CLI.
Console
Open the Repositories page in the Trusted Cloud console.
In the repository list, select the repository and click Edit Repository.
Edit the repository description and then click Save.
gcloud
To update the repository description, run the command:
gcloud artifacts repositories update REPOSITORY \
--project=PROJECT \
--location=LOCATION \
--description="DESCRIPTION"
Replace the following:
REPOSITORY: the name of the repository. If you configured a default repository, then you can omit this flag to use the default.PROJECT: the Trusted Cloud by S3NS project ID. If this flag is omitted, then the current or default project is used.-
LOCATIONis the regional location of the repository. Use this flag to view repositories in a specific location. If you configured a default location, then you can omit this flag to use the default. DESCRIPTION: a description for the repository.