Authenticated docker pulls for GCP Artifact Registry?

I’d like to use private docker images stored in GCP Artifact Registry for some of my jobs. I’ve been looking through the documentation but I haven’t found a way to do authenticated docker pulls from there. My understanding is that there’s no way to generate a long-lived username/password, you can only have a long-lived service account key (which is then used to generate the username/password). This means that there’s nothing I can use for the jobs.docker.auth fields. Has anyone figured this out?

I know I can start a job with a public image and then authenticate and pull the private image, but I want the job to use the private image from the start.

1 Like

This is the third Google result for me when I searched CircleCI + Artifact Registry. I got this working, so I’m going to document how I did it!

Too Long; Didn’t Read

Turns out the Authorizing with Google Cloud SDK for Container Registry works for Artifact Registry too! Follow the instructions and use your Artifact Registry URL to download it.

Your image value will look something like this:


Detailed Example

Here’s an executor block sample, assuming your region is us-central-1:

      - image:
          username: _json_key
          password: $GCS_AUTHORIZATION


  1. As the CircleCI Container Registry documentation suggests, the value of $GCS_AUTHORIZATION is simply the JSON service account key json file. Do not base64 encode it. Just paste the JSON directly into Circle - yes really - it’ll Just Work.
  2. That username is _json_key only one underscore
  3. When viewing the container in the Artifact Registry there’s a neat Copy button, which copies a correctly formatted URL. Click, paste it as the image value, no mess no muss.

Where does that _json_key username come from? Per the Artifact Registry Documentation on authentication (can’t link it because I’m too new of a user) there’s two variants: _json_key and _json_key_base64, the latter which means the password is base64 encode JSON not plain JSON. This username and authentication scheme works equally well, just use whichever variant fits your workflow (haha!) better.

Edit: where does this env variable come from? It can come from a context!


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.