Authenticated docker pulls for GCP Artifact Registry?

I’d like to use private docker images stored in GCP Artifact Registry for some of my jobs. I’ve been looking through the documentation but I haven’t found a way to do authenticated docker pulls from there. My understanding is that there’s no way to generate a long-lived username/password, you can only have a long-lived service account key (which is then used to generate the username/password). This means that there’s nothing I can use for the jobs.docker.auth fields. Has anyone figured this out?

I know I can start a job with a public image and then authenticate and pull the private image, but I want the job to use the private image from the start.