I’d like to use private docker images stored in GCP Artifact Registry for some of my jobs. I’ve been looking through the documentation but I haven’t found a way to do authenticated docker pulls from there. My understanding is that there’s no way to generate a long-lived username/password, you can only have a long-lived service account key (which is then used to generate the username/password). This means that there’s nothing I can use for the jobs.docker.auth fields. Has anyone figured this out?
I know I can start a job with a public image and then authenticate and pull the private image, but I want the job to use the private image from the start.
As the CircleCI Container Registry documentation suggests, the value of $GCS_AUTHORIZATION is simply the JSON service account key json file. Do not base64 encode it. Just paste the JSON directly into Circle - yes really - it’ll Just Work.
That username is _json_key only one underscore
When viewing the container in the Artifact Registry there’s a neat Copy button, which copies a correctly formatted URL. Click, paste it as the image value, no mess no muss.
Where does that _json_key username come from? Per the Artifact Registry Documentation on authentication (can’t link it because I’m too new of a user) there’s two variants: _json_key and _json_key_base64, the latter which means the password is base64 encode JSON not plain JSON. This username and authentication scheme works equally well, just use whichever variant fits your workflow (haha!) better.