Status: IN
Compute Engine VM access scopes can further restrict Artifact Registry access beyond IAM roles — the default `read-only` scope blocks writes even if the SA has Writer role; `cloud-platform` scope is needed for push.
Source: entries/2026/03/11/artifactregistry-access-control.md