Then now, we want to have a docker executor wherein the image is stored in GCP. There’s this guide: Authorize Google Cloud SDK - CircleCI but it uses a GCLOUD_SERVICE_KEY which defeats the purpose of OIDC.
This is our current definition in config.yml that we’re trying to migrate to OIDC
I also need to do this please, it would be super helpful!
I tried getting a temporary access token with gcloud auth print-access-token and exported it into $BASH_ENV, but those variables are not loaded or accessible during the “Spin up environment” step.
Using a service account key is expressly warned against in Google Cloud’s documentation so it’d be nice if we could use e.g. the gcp-cli orb’s setup command with use_oidc: true in some way.
We need this, as well. It’s crazy to me that we can use OIDC for all of the other GCP-related stuff we need to do in our pipelines, but can’t use OIDC to pull a private container.
Service account keys are a non-starter for us. Is there still really no way to make OIDC authenticated repo pulls from GCP?