{"id":"ar-access-scopes-can-restrict-beyond-iam","text":"Compute Engine VM access scopes can further restrict Artifact Registry access beyond IAM roles — the default `read-only` scope blocks writes even if the SA has Writer role; `cloud-platform` scope is needed for push.","truth_value":"IN","source":"entries/2026/03/11/artifactregistry-access-control.md","source_url":"","source_hash":"b8ce5667057c1e51","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"ar-access-scopes-can-restrict-beyond-iam","truth_value":"IN","reason":"premise"}]}}