Hello Google Cloud Community,
I'm encountering a perplexing issue with Artifact Registry cleanup policies in my production environment, and I'm hoping to get some insights or troubleshooting guidance from the community.
The Problem:
I have an identical Terraform configuration for my Artifact Registry repositories across two GCP projects: staging and production.
The cleanup policies work perfectly in my staging environment, successfully deleting untagged images and images older than 7 days, while keeping the 3 most recent versions.
Here's the relevant Terraform snippet for the cleanup policies:
resource "google_artifact_registry_repository" "docker" {
location = var.region
repository_id = "docker"
description = "Dockerfile repository"
format = "DOCKER"
cleanup_policies {
action = "DELETE"
id = "delete-untagged"
condition {
tag_state = "UNTAGGED"
}
}
cleanup_policies {
action = "DELETE"
id = "delete-older-than-7d"
condition {
older_than = "604800s" # 7 days
tag_state = "ANY"
}
}
cleanup_policies {
action = "KEEP"
id = "keep-minimum-versions"
most_recent_versions {
keep_count = 3
}
}
}
However, in my production environment, these exact same policies do not seem to execute. Images are not being deleted as expected.
My Investigation So Far:
IAM Permissions: I have thoroughly checked the IAM permissions for the relevant service accounts (including the one deploying the Terraform and the default service agent) at both the project and repository levels in production. They have artifactregistry.admin
Service Agent Confusion: This led me to suspect an issue with the Artifact Registry Service Agent in the production project. When I go to "IAM & Admin" -> "Service Accounts" in the Cloud Console, I do not see a service account named service-PROJECT_NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com (which is typically created automatically).
Attempting manual creation via gcloud: I followed the official documentation (https://cloud.google.com/sdk/gcloud/reference/beta/services/identity/create) and ran the command:
gcloud beta services identity create --service=artifactregistry.googleapis.com --project=YOUR_PRODUCTION_PROJECT_ID
The command responded with: Service identity created: service-<NUMBER>@gcp-sa-artifactregistry.iam.gserviceaccount.com (where<NUMBER> is my actual project number).
However, refreshing the "Service Accounts" page in the console still shows no such service account.
Attempting creation via Terraform: Similarly, if I try to ensure its creation using Terraform, it reports successful creation, but it remains invisible in the "Service Accounts" list.
I understand that Google-managed service agents are not typically listed in the user-managed service accounts view. However, the fact that I'm seeing no evidence of cleanup policies executing, combined with the "invisibility" of this crucial service agent, is highly concerning.
My Questions:
Any guidance or troubleshooting steps would be greatly appreciated!
Thank you,
solotomas
Hello, the service account that you are talking about it's not a normal service account, but a special service account called service agent, and these type of accounts are not visible onto the Service Account Section, but you can see them if you assign some Roles and permissions on IAM.
https://cloud.google.com/artifact-registry/docs/ar-service-account