CODEWITHSUNDEEP
google-cloud-platformgcloudgoogle-artifact-registry
Natan Yellin
Natan Yellin

Reputation: 6387

Is it possible track the number of docker pulls in Google Artifact Registry?

I'd like to measure the number of times a Docker image has been downloaded from a Google Artifact registry repository in my GCP project.

Is this possible?

Upvotes: 10

Views: 1748

Answers (2)

Lindsay Smith
Lindsay Smith

Reputation: 106

We do not yet have platform logs for Artifact Registry unfortunately, so using the CALs is the only way to do this today. You can also turn the CALs into log-based metrics and get graphs and metrics that way too.

The recommendation to filter by 'Docker-GetManifest' is also correct - it's the only request type for which a Docker Pull always has exactly one. There will be a lot of other requests that are related but don't match 1:1. The logs will have all requests (Docker-Token, 0 or more layer pulls), including API requests like ListRepositories which is called by the UI in every AR region when you load the page.

Unfortunately, the theory about public requests not appearing is correct. CALs are about logging authentication events, and when a request has no authentication whatsover, CALs are not generated.

Upvotes: 4

DazWilkin
DazWilkin

Reputation: 40296

Interesting question.

I think this would be useful too.

I think there aren't any Monitoring metrics (no artifactregistry resource type is listed nor metrics are listed)

However, you can use Artifact Registry audit logs and you'll need to explicitly enable Data Access logs see e.g. Docker-GetManifest.

enter image description here

NOTE I'm unsure whether this can be achieved from gcloud.

Monitoring Developer tools, I learned that Audit Logs are configured in Project Policies using AuditConfig's. I still don't know whether this functionality is available through gcloud (anyone?) but evidently, you can effect these changes directly using API calls e.g. projects.setIamPolicy:

gcloud projects get-iam-policy ${PROJECT}
auditConfigs:
- auditLogConfigs:
  - logType: DATA_READ
  - logType: DATA_WRITE
  service: artifactregistry.googleapis.com
bindings:
- members:
  - user:me
  role: roles/owner
etag: BwXanQS_YWg=

Then, pull something from the repo and query the logs:

PROJECT=[[YOUR-PROJECT]]
REGION=[[YOUR-REGION]]
REPO=[[YOUR-REPO]]

FILTER="
logName=\"projects/${PROJECT}/logs/cloudaudit.googleapis.com%2Fdata_access\"
protoPayload.methodName=\"Docker-GetManifest\"
"

gcloud logging read "${FILTER}" \
--project=${PROJECT} \
--format="value(timestamp,protoPayload.methodName)"

Yields:

2022-03-20T01:57:16.537400441Z  Docker-GetManifest

You ought to be able to create a logs-based metrics for these too.

Upvotes: 10

Related Questions