Configure an Edge site with a Google Artifact Registry

Updated: June 20, 2025

This topic explores how to configure an Edge site with Google Artifact Registry.

We support the following Google Artifact Registry authentication methods:

Service Account Key
Workload Identity Federation for GKE
- This method is only available for:
  - Edge sites installed on a GKE managed Kubernetes cluster.
  - Private container image registries.

Private container image registry
Private Helm registry

Service Account Key

To install your Edge site with container images stored within a Google Artifact Registry using the Service Account Key authentication method, add the following flags to the installation command:

-r registries.yaml
--registry-url <url_for_registry>
--registry-user _json_key
--registry-pass <path_to_json_key_file>

Note If you're installing your Edge site on a managed Kubernetes cluster, for the registry pass, you can either add the path to the json key file as shown in the command, or as a single lined version of what is in the json_key json file, wrapped in single quotes. For example:

Copy

{"type":"service_account","project_id":"","private_key_id":"","private_key":"","client_email":"","client_id":"","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":""}

Show me an example

sudo sh install-master.sh properties.yaml -r registries.yaml
--registry-url https://europe-west1-docker.pkg.dev/path/to/registry
--registry-user _json_key
--registry-pass /path/to/json_key_file.json

For more information, go to the Google Artifact Registry service account documentation.

Workload Identity Federation for GKE

Google Artifact Registries that use the Workload Identity Federation for GKE authentication method are only supported for Edge sites installed on a GKE managed Kubernetes cluster. We recommend using a service account with GAR access on the GKE node level, however, you can use IAM authentication that doesn't require a specific service account on the cluster to pull container images.

To install your Edge site with container images stored within a Google Artifact Registry using the Workload Identity Federation for GKE authentication method, add the following flag to the installation command:

--registry-url <url_for_registry>

Show me an example

./edgecli install
--registry-url https://europe-west1-docker.pkg.dev/path/to/registry

For more information about the Workload Identity Federation for GKE authentication method, go to Google's documentation:

Important All Helm charts must be uploaded as OCI artifacts.

Service Account Key

To install your Edge site with Helm charts stored within a Google Artifact Registry using the Service Account Key authentication method, add the following flags to the installation command:

--helm-url <oci_url_for_helm_registry>
--helm-user <_json_key file>
--helm-pass <path_to_json_key_file>

Show me an example

./edgecli install
--helm-url oci://europe-west1-docker.pkg.dev/path/to/registry
--helm-user _json_key
--helm-pass /path/to/json_key_file.json

For more information, go to the Google Artifact Registry service account documentation.