Understanding the Google Cloud Container Registry Service Agent

Published on October 28, 2024

Introduction

Have you ever created a Google Cloud Container Registry (GCR) or migrated from GCR to Google Artifact Registry (GAR) and wondered how it performs its duties on your project? Or perhaps you've seen the service account service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com appearing in your security findings and wondered where it comes from? In this article, we'll explore the role of the Google Cloud Container Registry Service Agent, its benefits, and how to manage it effectively.

What Are Service Agents?

Service agents are Google-managed service accounts that allow Google Cloud services to access your resources. These service accounts are essential for the operation of various Google Cloud services and are sometimes referred to as service agents.

Google Cloud Container Registry Service Agent

The Google Cloud Container Registry Service Agent is a specific type of service agent used by the Container Registry to interact with Google Cloud services. This service account is not visible in the Cloud Console IAM section. To locate and verify the privileges of such service accounts, you can use the following command in Cloud Shell:

gcloud projects get-iam-policy PROJECT-ID \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com"
            

Replace PROJECT-ID with your Google Cloud project ID and PROJECT-NUMBER with your Google Cloud project number.

Container Registry Service Agent Role

Before October 2020, the Container Registry service account was granted the Editor role. To enhance security and follow the principle of least privilege, this service account is now granted the Container Registry Service Agent Role. This role includes the following permissions:

Publish topics: pubsub.topics.publish
Read storage object ACLs: storage.objects.getIamPolicy
Read storage object data and metadata: storage.objects.get
List storage objects in a bucket and read object metadata: storage.objects.list

If your Container Registry service account was created before October 5, 2020, it might still have the Editor role. You can restrict this by following the commands below.

Service Agent Role Replaced with Basic Role

In some cases, you might see a finding in the GCP Security Command Center IAM recommender indicating that the service agent role has been replaced with a basic role. This finding suggests that the service account has more permissions than necessary, which can pose a security risk. It's important to address this by ensuring the service account has only the permissions it needs.

Granting the Container Registry Service Agent Role

To grant the Container Registry Service Agent role, use the following command:

gcloud projects add-iam-policy-binding PROJECT-ID \
--member=serviceAccount:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com --role=roles/containerregistry.ServiceAgent
            

Revoking the Editor Role

To revoke the Editor role, use the following command:

gcloud projects remove-iam-policy-binding PROJECT-ID \
--member=serviceAccount:service-PROJECT-NUMBER@containerregistry.iam.gserviceaccount.com --role=roles/editor
            

Conclusion

Understanding the role and management of the Google Cloud Container Registry Service Agent is crucial for maintaining the security and efficiency of your Google Cloud projects. By following the principle of least privilege and using the appropriate commands, you can ensure that your service accounts have the necessary permissions without exposing your project to unnecessary risks.

Happy reading!