Google Artifact Registry
Prerequisites
A Service Account within one of the projects is created.
The required
Artifact Registry Reader
role is assigned to that service account.A Custom Role with the
resourcemanager.projects.get
permission.This permission allows the Service Account to list repositories on the Docker v2
_catalog
endpoint.
Install Registry Scanner
You can set up the Registry Scanner either at the project level or the organization level.
$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gar \
--set config.registryURL=<GAR_REGISTRY_URL> \
--set config.registryPassword=<GAR_REGISTRY_PASSWORD>
<GAR_REGISTRY_PASSWORD>
: Base64 encoded Service Account JSON access key.To encode JSON key file to base64, use the following command:
--set config.registryPassword="$(cat <GAR_SA_FILE_NAME>.json | base64)"
<GAR_REGISTRY_URL>
: Google Artifact Registry URL.For example,
us-docker.pkg.dev
Create a Custom Role
Create a Custom Role with the resourcemanager.projects.get
permission. This permission allows the Service Account to list repositories on the Docker v2 _catalog
endpoint.
Create a Custom Role at Project Level
gcloud iam roles create sysdig.repositorylist --project=<YOUR_PROJECT_ID> \
--title="Sysdig - Artifact Registry - List Repositories" \
--description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
--permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
--member='serviceAccount:<SERVICE_ACCOUNT_NAME>@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
--role='projects/<YOUR_PROJECT_ID>/roles/sysdig.repositorylist'
Create a Custom Role at Organization Level
gcloud iam roles create sysdig.repositorylist --organization=<YOUR_ORGANIZATION_ID> \
--title="Sysdig - Artifact Registry - List Repositories" \
--description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
--permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_ORGANIZATION_ID> \
--member='serviceAccount:<SERVICE_ACCOUNT_NAME>@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
--role='organizations/<YOUR_ORGANIZATION_ID>/roles/sysdig.repositorylist'
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.