Photo by Ricardo Gomez Angel on Unsplash

As of now, Google Container Registry does not allow for granular access control to the images stored in the registry. By default, you can only grant access to users, groups of users for the entire registry. In addition, you only get one registry per project. Therefore creating more registries to provide unique access permissions is also rather time-consuming.

For situations where you want to grant user or group an access to a specific docker image in GCR you can do the following:

# Prerequisites: gcloud, gsuitl and jq

# User access
IMAGE_NAME=nginx; \
IMAGE_TAG=1.17.8; \
USER=user@example.com; \
REGISTRY_NAME=sample-registry; \
for digest in $(curl --silent --request GET --user _token:$(gcloud auth print-access-token) https://gcr.io/v2/$REGISTRY_NAME/$IMAGE_NAME/manifests/$IMAGE_TAG | jq -r '.config .digest , .layers[].digest'); do gsutil acl ch -u $USER:R gs://artifacts.$REGISTRY_NAME.appspot.com/containers/images/$digest;done

# Group access
IMAGE_NAME=nginx; \
IMAGE_TAG=1.17.8; \
USER=group@example.com; \
REGISTRY_NAME=sample-registry; \
for digest in $(curl --silent --request GET --user _token:$(gcloud auth print-access-token) https://gcr.io/v2/$REGISTRY_NAME/$IMAGE_NAME/manifests/$IMAGE_TAG | jq -r '.config .digest , .layers[].digest'); do gsutil acl ch -g $USER:R gs://artifacts.$REGISTRY_NAME.appspot.com/containers/images/$digest;done

Above examples are for US registry. If you want to update EU registry, following changes need to be made:

# Update GCS bucket
artifacts.$REGISTRY_NAME.appspot.com > eu.artifacts.$REGISTRY_NAME.appspot.com
# Update registry reference
https://gcr.io/v2/$REGISTRY_NAME/$IMAGE_NAME/manifests/$IMAGE_TAG > https://eu.gcr.io/v2/$REGISTRY_NAME/$IMAGE_NAME/manifests/$IMAGE_TAG