Docker Config in GCE and using GAR

1. Install Docker

2. Add user into docker group:

sudo usermod -a -G docker ${USER}

3. Add a service account in Google Cloud Console

• IAM & Admin -> Service Accounts -> Create service account
• Add a key and save the key file on your local machine

4. Add the service account into IAM members

• IAM & Admin -> IAM -> Add
• Enter the created service account
• Select role as Artifact Registry Reader

5. scp the key file from local machine to GCE instance

6. SSH into GCE instance and activate the service account

• gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILE
• ACCOUNT: the service account
• KEY-FILE: the path of the key file
• You should see the message after activation:

Activated service account credentials for: [xxxxxx]

7. Configured Docker to use gcloud as a credential helper

• gcloud auth configure-docker HOSTNAME-LIST
• HOSTNAME-LIST: a comma-separated list of repository hostnames to add to the credential helper configuration, e.g. asia-docker.pkg.dev,us-central1-docker.pkg.dev

Pull image from GAR (Google Artifacts Registry)

docker pull [LOCATION]-docker.pkg.dev/[PROJECT-ID]/[REPOSITORY]/[IMAGE]:[TAG]

or

docker pull [LOCATION]-docker.pkg.dev/[PROJECT-ID]/[REPOSITORY]/[IMAGE]@[IMAGE_DIGEST]

where:

• [LOCATION] is the regional or multi-regional location of the repository where the image is stored, e.g.asia,us-central1.
• [PROJECT-ID] is your Google Cloud Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.
• [REPOSITORY] is the name of the repository where the image is stored.
• [IMAGE] is the image's name in Container Registry.
• [TAG] is the tag applied to the image. In a registry, tags are unique to an image.
• [IMAGE_DIGEST] is the sha256 hash value of the image contents. In the console, click on the specific image to see its metadata. The digest is listed as the Image digest.

Reference

GAR - Setting up authentication for Docker

GAR - Pushing and pulling images