Authenticated docker pulls for GCP Artifact Registry?

kenske · December 8, 2021, 5:55pm

I’d like to use private docker images stored in GCP Artifact Registry for some of my jobs. I’ve been looking through the documentation but I haven’t found a way to do authenticated docker pulls from there. My understanding is that there’s no way to generate a long-lived username/password, you can only have a long-lived service account key (which is then used to generate the username/password). This means that there’s nothing I can use for the jobs.docker.auth fields. Has anyone figured this out?

I know I can start a job with a public image and then authenticate and pull the private image, but I want the job to use the private image from the start.

rwilcox · March 22, 2022, 5:06pm

This is the third Google result for me when I searched CircleCI + Artifact Registry. I got this working, so I’m going to document how I did it!

Too Long; Didn’t Read

Turns out the Authorizing with Google Cloud SDK for Container Registry works for Artifact Registry too! Follow the instructions and use your Artifact Registry URL to download it.

Your image value will look something like this:

image: $REGION-docker.pkg.dev/$PROJECT_NAME/$REGISTRY_NAME/$CONTAINER_NAME:$TAG

Detailed Example

Here’s an executor block sample, assuming your region is us-central-1:

executors:
  basic:
    docker:
      - image: us-central1-docker.pkg.dev/your-project-name-here/your-artifact-registry-name-here/container-name:myTag
        auth:
          username: _json_key
          password: $GCS_AUTHORIZATION

Tips:

As the CircleCI Container Registry documentation suggests, the value of $GCS_AUTHORIZATION is simply the JSON service account key json file. Do not base64 encode it. Just paste the JSON directly into Circle - yes really - it’ll Just Work.
That username is _json_key only one underscore
When viewing the container in the Artifact Registry there’s a neat Copy button, which copies a correctly formatted URL. Click, paste it as the image value, no mess no muss.

Where does that _json_key username come from? Per the Artifact Registry Documentation on authentication (can’t link it because I’m too new of a user) there’s two variants: _json_key and _json_key_base64, the latter which means the password is base64 encode JSON not plain JSON. This username and authentication scheme works equally well, just use whichever variant fits your workflow (haha!) better.

Edit: where does this env variable come from? It can come from a context!

system · April 1, 2022, 5:07pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Gcr private image pull auth: giving mapping values error - GCR google repository login only working with manual docker login call, not circleci auth: keyword Build Environment	5	2926	November 10, 2018
How can we use OIDC to pull docker image in GCP? Build Environment docker , gcp	0	31	October 15, 2024
Docker Authenticated Pulls in self-hosted runner Build Environment docker	2	519	June 10, 2023
[Updated] Authenticate with Docker to avoid impact of Nov. 1st rate limits Announcements docker	58	18448	November 8, 2020
Using 'docker login' with 'setup_remote_docker' to push to a private repository? Build Environment	4	4754	June 18, 2018

Authenticated docker pulls for GCP Artifact Registry?

Too Long; Didn’t Read

Detailed Example

Tips:

Related topics