Getting Started
Usage
- Integrations
Google Artifact Registry
Deploy Docker images from your private Google Artifact Registry repository with Miru
Instead of using public Docker Hub images like we did with mongo:4.2.0 image in Prepare your Application, you can use private images located in your Google Artifact Registry repository.
To do so, we need to create a service account in your Google Cloud project, add it to miru, and grant it read-only access to your chosen Artifact Registry repositories. Follow the steps below to connect miru with your Google Artifact Registry.
Connect to Google Artifact Registry
Navigate to the service accounts page in your Google Cloud Console. Select the Google Cloud project that you want to connect miru to. We’re using container-integration.
miru. Click the Create Service Account button to create a new service account for this Google Cloud Project.
Fill in the service account name and description before clicking Create and Continue. You can follow the naming convention we’ve used or choose your own.
Finally, click Done to create the service account.
Currently, this service account has no permissions to access any resources in your Google Cloud project. The following steps show you how to add permissions to the service account so that it can access desired Artifact Registry repositories.
miru uses your provided service account to create temporary tokens (1 hour long) that are distributed to your devices for authenticating to Google Artifact Registry. To do this, we must add the Service Account Token Creator Role to the service account.
Navigate to the service accounts page in your Google Cloud Console.
Copy the email of the service account you just created to your clipboard. For us that’s miru-49@container-integration.iam.gserviceaccount.com. Then click into the service account.
Navigate to the Permissions tab.
Click the Grant Access button.
Paste the service account email which you copied earlier into the New principals box and select the service account. Next select the Service Account Token Creator role to be assigned. Finally, hit Save.
Your service account now has Service Account Token Creator Role, allowing it to create temporary tokens with the same permission set as the service account itself.
Next, we’ll give the service account access to repositories in Google Artifact Registry.
To grant a service account access to repositories in your Artifact Registry, navigate to the Artifact Registry Page in Google Cloud Console and select the same Google Cloud project as the service account you connected to miru with. For us that’s container-integration.
Select the repository you want to grant your service account access to. We’ve selected the django repository. Then click the Add Principal button.
Open a new tab in the Service Accounts Page, find the service account you connected to miru with, and copy the email address listed.
Navigate back to the Artifact Registry Page and paste the service account email address into the New Principals field. Then add the Artifact Registry Reader role to the service account and click Save.
You should now see your service account listed with the Artifact Registry Reader role for the repository you selected. To grant miru access to more repositories, simply repeat the process for each repository.
Congratulations! You’ve successfully connected miru to a Google Artifact Registry repository. miru will have read-only access to selected repositories in your Artifact Registry. If you want to add repositories from a different Google Cloud project, please create a separate service account for that project, add it to miru, and grant access to the chosen repositories.
To use an image from your Google Artifact repository, simply specify the image reference in your docker-compose.yml file.
<compose-service>:
image: <region>-docker.pkg.dev/<google-cloud-project>/<repository>/<image>:<tag>
For instance, adding an image from our django repository looks like this:
<compose-service>:
image: us-central1-docker.pkg.dev/container-integration/django/backend:latest
Click into the service account you just created.
Navigate to the Keys tab to view the service account’s keys.
Create a new key by clicking the Add Key dropdown and selecting Create new key.
Select JSON as the key type and click Create.
The keys will automatically download to your computer. We’ll quickly upload them to miru and then remove them as soon as we’re done with them.
Before adding the service account to miru, please ensure that the IAM Service Account Credentials API is enabled for your Google Cloud project. To do so, navigate to the IAM Service Account Credentials API page in Google Cloud Console and click the Enable button.
Navigate to the Google Artifact Registry Page in miru. Click the Add Service Account button to add the service account we just created.
Click Select File and upload the JSON key file downloaded from Google Cloud. Then click Connect.
You should now see the service account we just created in the list of service accounts on the Google Artifacts Integration page.
miru. This key file can grant access to your Google Cloud project resources and should not be shared with anyone else.