Welcome to the second lesson in our course on working with container registries. In the previous lesson, you explored Google Artifact Registry and verified your environment through the gcloud CLI. Now it's time to create your first Artifact Registry repository with security best practices built in from day one.

Rather than creating a basic repository and adding security later, you'll learn to configure security settings during the initial creation. This lesson focuses on critical security features: Container Analysis API for automatic vulnerability detection and IAM-based access controls for deployment consistency.

By the end of this lesson, you'll run the gcloud artifacts repositories create command with the appropriate configuration and verify your settings using gcloud artifacts repositories list and gcloud artifacts repositories describe.

Security in container registries goes beyond access control — it's about ensuring the integrity and safety of your stored images. Google Artifact Registry integrates with Google Cloud's security infrastructure to provide comprehensive protection for your container images.

Container Analysis API automatically analyzes container images for known security vulnerabilities. When enabled for your project, it scans images stored in Artifact Registry and provides detailed vulnerability reports. The API uses continuously updated vulnerability databases to identify potential issues in image layers, including OS packages and application dependencies. Scans provide severity ratings (CRITICAL, HIGH, MEDIUM, LOW) to help you prioritize remediation efforts.

IAM-based access controls provide fine-grained permissions for repository operations. Google Cloud uses role-based access control to determine who can push, pull, or modify images. This approach offers flexibility while maintaining security through proper permission management. Key roles include artifactregistry.writer for pushing images, artifactregistry.reader for pulling images, and artifactregistry.repoAdmin for repository management.

Key Benefits:

• Container Analysis API: Comprehensive vulnerability scanning with detailed reports.
• IAM roles: Granular control over repository operations and image management.
• Automated security: Integration with Google Cloud's security ecosystem.
• Continuous monitoring: Ongoing vulnerability detection as new threats are discovered.

Before creating your first Artifact Registry repository, understand these key requirements:

Location awareness is crucial because repositories are location-specific resources. When you create a repository in us-west1, its URI includes that location (e.g., us-west1-docker.pkg.dev/project/repo). While you can push and pull images from any location, accessing a repository from distant regions may incur network latency and cross-region data transfer costs.

For production workloads distributed across multiple regions, organizations typically adopt one of two strategies: creating separate repositories in each region where services run (maintaining regional isolation and performance), or using a single repository with acceptance of cross-region network costs for centralized image management. Google Cloud uses location names like us-west1, us-central1, europe-west1, etc.

IAM permissions are required for Artifact Registry operations. Key roles include:

• roles/artifactregistry.repoAdmin: Required for creating, updating, and deleting repositories, as well as managing IAM policies and cleanup policies.
• roles/artifactregistry.writer: Allows pushing images to existing repositories and viewing repository metadata.
• roles/artifactregistry.reader: Allows pulling images and viewing repository metadata (but not pushing).

Important: Creating repositories specifically requires roles/artifactregistry.repoAdmin. The writer role is insufficient for repository creation operations.

The gcloud artifacts repositories create command is your primary tool for creating new Artifact Registry repositories. Understanding its key parameters helps you configure repositories correctly from the start.

Essential Parameters:

• REPOSITORY: The repository name (required) — must contain lowercase letters, numbers, and hyphens only.
• --repository-format=docker: Specifies the repository type (docker, maven, npm, python, etc.).
• --location=LOCATION: The Google Cloud location where the repository will be created (required).
• --description="DESCRIPTION": Optional human-readable description of the repository.

Example command structure:

Note that vulnerability scanning is configured separately through the Container Analysis API at the project level, not during repository creation. This allows centralized security management across all repositories in your project.

Create your first Artifact Registry repository with this command:

This creates a Docker repository named my-web-app in the us-central1 location. The command returns output confirming the operation:

The repository URI follows Google Cloud's format:

This complete address is what you'll use for pushing and pulling images. The format is: LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE.

To ensure the Container Analysis API is enabled for vulnerability scanning, verify it's active in your project:

If not enabled, you can enable it with:

After creating a repository, you'll need to apply IAM policy bindings to grant specific users or service accounts access to your repository. Artifact Registry also supports cleanup policies for automated image retention management, which you'll explore in detail in a later lesson.

While IAM roles provide project-level permissions, you often need to grant access to specific repositories. The gcloud artifacts repositories add-iam-policy-binding command assigns roles to users or service accounts for individual repositories.

Command Structure:

Example: Grant a service account write access:

This grants the CI/CD service account permission to push images to the my-web-app repository.

Common member formats:

• user:email@example.com: Individual user
• serviceAccount:sa-name@project-id.iam.gserviceaccount.com: Service account
• group:team@example.com: Google Group

Frequently used roles:

• roles/artifactregistry.reader: Pull images only
• roles/artifactregistry.writer: Push and pull images
• roles/artifactregistry.repoAdmin: Full repository management

Verify your repository creation using the list command:

This returns information about all repositories in the specified location:

For detailed information about a specific repository, use the describe command:

This provides comprehensive details, including:

• name: The full resource name of the repository.
• format: Should show DOCKER.
• location: Should show us-central1.
• createTime: When the repository was created.
• updateTime: Last modification timestamp.

Focus on these key fields in the output:

• format: Confirms the repository type (DOCKER).
• location: Verifies the repository location.
• name: The complete resource identifier.

When creating Artifact Registry repositories, several common issues can cause confusion or prevent successful repository creation. Understanding these pitfalls and their solutions helps you troubleshoot problems quickly.

Common Issues and Solutions:

• Location mismatch: Use the --location flag to specify the correct Google Cloud location (e.g., us-central1, not us-central-1).
• Access denied: Verify your IAM roles include roles/artifactregistry.repoAdmin, which is required for repository creation. Note that roles/artifactregistry.writer is insufficient for creating repositories.
• Name conflicts: Repository names must be unique within your project and location.
• Format specification: Always include --repository-format=docker for Docker repositories.
• API not enabled: Ensure the Artifact Registry API is enabled with gcloud services enable artifactregistry.googleapis.com.
• Network issues: These usually resolve automatically, but verify Google Cloud service endpoint connectivity if persistent.

Most repository creation failures stem from these fundamental configuration issues rather than complex technical problems. Always verify your location spelling and IAM permissions first when troubleshooting.

You've successfully learned to create Artifact Registry repositories with Google Cloud's security infrastructure. You can now use gcloud artifacts repositories create with proper configuration and verify repositories with gcloud artifacts repositories list and gcloud artifacts repositories describe.

Your repository integrates with the Container Analysis API for automatic vulnerability scanning and uses IAM roles for fine-grained access control. These foundational skills prepare you for more advanced Artifact Registry operations like image lifecycle management and CI/CD integration.

In the upcoming practice exercises, you'll create your own repository, verify its configuration, and explore the command outputs hands-on, reinforcing these concepts before moving to image pushing in the next lesson.