Access a private GCP Container Registry

Organizations can use private repositories from Docker Hub, AWS, GCP, or Azure for Valohai executions.

Create a service account in GCP

Container Registry uses Cloud Storage buckets as their storage for your images. You control access to your images by granting appropriate Cloud Storage permissions to identities.

1. Create a new service account under your Google Cloud project that contains the registry
2. Add Service Account Token Creator role so it can create temporary tokens for itself
3. Allow the service account to access the registry:
   • Go to https://console.cloud.google.com/storage/browser (Cloud Storage listing)
   • Find and click the bucket that hosts your Container Registry images, it’s in format <OPTIONAL_REGION>.artifacts.<PROJECT_ID>.appspot.com
   • Click Permissions
   • Click Add members
   • Search for the service account using the full ID (the one that looks like an email)
   • Add role Storage Object Viewer if pulling or Storage Admin if pulling and pushing
   • Click Save

4. Download the service account JSON to use in Valohai

Add credentials to Valohai

• Login at https://app.valohai.com
• Navigate to Hi,<name> (the top right menu) > Manage <organization>
• Go to Registries under the organization controls
• Add a new entry
• Insert the match pattern in the format of <domain>/<owner-and-or-repository>/* e.g.
  • gcr.io/my-project/*
  • gcr.io/my-project/my-registry:*
• Choose your registry type and provide the access credentials generated in the first step
• Use the full name of the tagged container (e.g. docker.io/myusername/name:tag) when defining the image in your valohai.yaml