{"results":[{"id":"ar-access-scopes-can-restrict-beyond-iam","text":"Compute Engine VM access scopes can further restrict Artifact Registry access beyond IAM roles — the default `read-only` scope blocks writes even if the SA has Writer role; `cloud-platform` scope is needed for push.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cleanup-dry-run-requires-data-access-logs","text":"Artifact Registry cleanup dry run results appear in Data Access audit logs, which must be explicitly enabled with \"data write\" type to see results.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cloud-build-default-read-write","text":"Cloud Build's default service account has read/write access to Artifact Registry.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cloudrun-cross-project-service-agent","text":"Cloud Run cross-project Artifact Registry access requires granting roles to the Cloud Run Service Agent (`service-PROJECT-NUMBER@serverless-robot-prod.iam.gserviceaccount.com`), not just the runtime service account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cross-project-requires-explicit-grant","text":"Artifact Registry cross-project access is not automatic — roles must be explicitly granted in the Artifact Registry project.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-default-compute-sa-read-only","text":"Compute Engine, GKE, and Cloud Run default service accounts get read-only access to Artifact Registry by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-tags-attach-to-repos-not-artifacts","text":"Resource Manager tags attach to Artifact Registry repositories only, not individual artifacts, for conditional IAM access control.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-virtual-repo-requires-sa-grant-to-upstreams","text":"Virtual repositories require explicit grants for the Artifact Registry service account to access upstream repositories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-google-apis-use-pga-not-nat","text":"Traffic to Google APIs uses Private Google Access, not Public NAT, even when Public NAT is configured.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-serverless-requires-vpc-egress","text":"Serverless resources (Cloud Run, Cloud Run functions, App Engine) require Direct VPC egress or Serverless VPC Access to use Cloud NAT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-nat-software-defined-regional-gateway","text":"Cloud NAT is a software-defined regional gateway on Cloud Router (not proxy VMs), routing internet egress while directing Google API traffic through Private Google Access instead, and requiring VPC egress configuration for serverless resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-private-pool-vpc-peering-access","text":"Cloud Build private pools connect to customer VPC networks via VPC peering (private services access) to reach private resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-direct-vpc-egress-more-ip-addresses","text":"Direct VPC egress uses more IP addresses than Serverless VPC Access connectors in most cases.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-internet-egress-requires-vpc-plus-nat-chain","text":"Cloud Run internet egress for VPC-connected workloads requires chaining two regional constructs: Direct VPC egress (preferred over connector VMs) for outbound-only VPC access, then Cloud NAT on Cloud Router for internet-bound traffic — neither alone is sufficient for serverless-to-internet connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-secret-fail-fast-startup","text":"Cloud Run's Secret Manager integration creates fail-fast startup semantics: the recommended production pattern (API access with pinned versions) defers resolution to runtime, but env-var-bound secrets that fail to load prevent instance startup entirely — forcing a choice between startup reliability and the best-practice access pattern.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-secret-requires-secret-accessor-role","text":"The Cloud Run service account needs `roles/secretmanager.secretAccessor` on each referenced secret, verified at deployment time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-vpc-connector-uses-compute-engine-vms","text":"Serverless VPC Access connectors require provisioned Compute Engine VM instances that add cost and maintenance overhead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-vpc-egress-direct-over-connector","text":"Cloud Run VPC egress should use Direct VPC egress over Serverless VPC Access connectors: direct egress requires no connector VMs (avoiding Compute Engine cost and maintenance), has lower latency, and both methods handle only outbound traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-vpc-egress-outbound-only","text":"Both Direct VPC egress and Serverless VPC Access connectors handle only outbound traffic from Cloud Run; inbound from VPC routes through a load balancer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudsql-private-access-simple-for-serverless","text":"Cloud SQL private IP access is operationally simple for serverless workloads: stable connection strings survive failover, and private networking avoids public internet exposure.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":113,"limit":20,"offset":0}