Google Cloud Container Registry
Storing container images in GCP.
Last updated
Storing container images in GCP.
Last updated
The GCP container registry is a flavor that comes built-in with ZenML and uses the .
Important Notice: Google Container Registry . Please start using Artifact Registry for your containers. As per Google's documentation, "after May 15, 2024, Artifact Registry will host images for the gcr.io domain in Google Cloud projects without previous Container Registry usage. After March 18, 2025, Container Registry will be shut down." The terms container registry
and artifact registry
will be used interchangeably throughout this document.
You should use the GCP container registry if:
one or more components of your stack need to pull or push container images.
you have access to GCP. If you're not using GCP, take a look at the other .
Would you like to skip ahead and deploy a full ZenML cloud stack already, including a Google Artifact Registry? Check out the , the , or for a shortcut on how to deploy & register this stack component.
When using the Google Artifact Registry, you need to:
enable it
go and create a Docker
repository.
When using the Google Artifact Registry, the GCP container registry URI should have the following format:
To figure out the URI for your registry:
On the top, click the copy button to copy the full repository URL.
To use the GCP container registry, we need:
We can then register the container registry and use it in our active stack:
With the GCP CLI installed and set up with credentials, we'll need to configure Docker, so it can pull and push images:
for a Google Container Registry:
for a Google Artifact Registry:
Go and select the repository that you want to use to store Docker images. If you don't have a repository yet, take a look at the .
installed and running.
The registry URI. Check out the on the URI format and how to get the URI for your registry.
You also need to set up required to log in to the container registry.
Integrating and using a GCP Container Registry in your pipelines is not possible without employing some form of authentication. If you're looking for a quick way to get started locally, you can use the Local Authentication method. However, the recommended way to authenticate to the GCP cloud platform is through . This is particularly useful if you are configuring ZenML stacks that combine the GCP Container Registry with other remote stack components also running in GCP.
This method uses the Docker client authentication available in the environment where the ZenML code is running. On your local machine, this is the quickest way to configure a GCP Container Registry. You don't need to supply credentials explicitly when you register the GCP Container Registry, as it leverages the local credentials and configuration that the GCP CLI and Docker client store on your local machine. However, you will need to install and set up the GCP CLI on your machine as a prerequisite, as covered in , before you register the GCP Container Registry.
Stacks using the GCP Container Registry set up with local authentication are not portable across environments. To make ZenML pipelines fully portable, it is recommended to use to link your GCP Container Registry to the remote GCR registry.
To set up the GCP Container Registry to authenticate to GCP and access a GCR registry, it is recommended to leverage the many features provided by such as auto-configuration, local login, best security practices regarding long-lived credentials and reusing the same credentials across multiple stack components.
A non-interactive CLI example that leverages on your local machine to auto-configure a GCP Service Connector targeting a GCR registry is:
Note: Please remember to grant the entity associated with your GCP credentials permissions to read and write to your GCR registry. For a full list of permissions required to use a GCP Service Connector to access a GCR registry, please refer to the or read the documentation available in the interactive CLI commands and dashboard. The GCP Service Connector supports with different levels of security and convenience. You should pick the one that best fits your use-case.
Linking the GCP Container Registry to a Service Connector means that your local Docker client is no longer authenticated to access the remote registry. If you need to manually interact with the remote registry via the Docker CLI, you can use the to temporarily authenticate your local Docker client to the remote registry:
For more information and a full list of configurable attributes of the GCP container registry, check out the .