Google Artifact Registry (GAR) and Google Container Registry (GCR) are private, secure V2 registries hosted on the Google Cloud platform. Since a given registry services one Google Cloud project, you can have several registries on Google Cloud, each for a different project.

In addition, each registry can be located in one gcloud region. You should integrate each registry separately for each region.

In addition, the service account accessing the registry requires the Storage Object Viewer IAM role. For more information, refer to IAM roles for Cloud Storage.

Due to changes to the gcloud APIs, users must enable the Cloud Resource Manager API for the integration with Aqua to work. The API should be enabled per-project. For more information, refer to the Resource Manager documentation.

Authentication Mechanism for Integration from Aqua

There are two authentication methods supported for Aqua to integrate with both GAR and GCR as explained in the following sections. For more information on these authentication mechanisms, refer to the Google Cloud document, Authentication methods.

For more information on the steps to integrate Aqua with GAR and GCR, refer to the Aqua document, General Configurations for Image Registries and Repositories.

Service account JSON key

It is the recommended method for Aqua admins to integrate with GAR and GCR. This is a long-lived credential and scoped to a project. You should create a service account (as described in the Google Cloud document, Authentication methods), and grant appropriate permissions, so that it is able to access the project's registry. Aqua recommends defining a role for the service account, with read-only permissions. Once the service account is created, you are prompted to save the account's JSON key file. You should supply content of this file to Aqua Admin for using it, while configuring the registry integration.  

Access Token

This is a short-lived credential with read/write access to all your gcloud resources. While access token definitely works, it is highly recommended to use JSON key files instead. Since access tokens can expire at any time, new tokens must be supplied to replace them. Daily scans might fail if the respective token has expired. If you still prefer to use access tokens, you can easily generate them by running the gcloud auth print-access-token command on your shell. You should supply the generated token to to Aqua Admin for using it, while configuring the registry integration. For more information on the procedure to generate access token, refer to this Google Cloud document