Work with container images
Artifact Registry can store Docker and OCIcontainer imagesin a Docker repository.
To get familiar with container images in Artifact Registry, you can try thequickstart.
When you are ready to learn more, read the following information:
- Create a Docker repository for your images.
- Grant permissions to the account that will connect with the repository.
- The default service account for Compute Engine has permissions to pull from Artifact Registry repositories in the same Google Cloud project unless you havedisabled automatic role granting to default service accounts. The Compute Engine service account is also thedefault GKE node service account and the defaultCloud Run service account.
- The Cloud Build default service account has permissions to push to and pull from Artifact Registry repositories in the same Google Cloud project unless you have disabled automatic role granting to default service accounts.
- If you are using a Docker client to push and pull images, configureauthentication to Artifact Registry.
- Learn aboutpushing and pulling images.
- Learn aboutmanaging images.
Learn how tomanage container metadata with attachments. Attachments areOCI artifacts that hold metadata about another container image.
Metadata can be any relevant information you want to store that is related to a container image, including files you can scan or generate withArtifact Analysis:
- Set upPub/Sub notifications for changes to your repository.
- Set upArtifact Analysis to manage image metadata and scan for vulnerabilities.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.