Google Container Registry with Google Apps

The Container Registry allows you to easily push your docker images to Cloud Storage.

Nominally, the registry entry for an image will be, where projectname is the name of the project on the Developer Console and containername is whatever id you want. At this point, however, both of these only reliably seem to support A-Za-z_-.

TL;DR: If you're using my container script:

echo >> container.cfg

Or, for Google Apps:

echo >> container.cfg

Then, you can simply

./ push

Bucket Setup

Since I have a Google Apps domain, my Developer Console projects are all$project which can't be used as the projectname in the registry. I've found two ways around this problem

Solution 1: Separate Project

My first solution was to use a non-Google-Apps project for the Cloud Storage. This turned out to be somewhat more complicated than I had anticipated. I did end up getting it working, so I want to try to document it here.

  1. If you haven't already, spin up a GKE Cluster.
    • I believe this will ensure that the right robot accounts are created.
  2. Create a public project (yourproject below)
  3. Create a storage bucket named
  4. Configure the ACL for the bucket
    • Log into the developer console for your apps project ( below)
    • Open the Permissions tab and copy the Compute Engine Service Account (it will be something like
      • If you have multiple service accounts listed, you can run curl http://metadata/computeMetadata/v1beta1/instance/service-accounts/default/email from a running instance to find the service account to use
    • Go to the public storage bucket in Storage > Cloud Storage > Storage Browser
    • Edit the bucket permissions to add a "User" with the service account as a "Reader"
    • Do the same for the default object permissions
  5. Use gcloud docker push to push the image.
    • Check the permissions on the repositories/library/imagename/tag_latest file within the bucket to ensure that the permissions applied correctly.

If you are doing this after the fact, you can use the following command to update the already-created objects (note the :R after the service account):

gsutil -m acl ch -r -u gs://  

Solution 2: Bucket registry

It turns out that you can use a special _b_ prefix to specify a bucket name instead of a project name! You can use to push to an existing Google Cloud Storage bucket!

With this solution, it's as simple as

docker tag your/docker-image 
gcloud docker push