DEV Community

Booranasak Kanthong
Booranasak Kanthong

Posted on

Pulling Docker Images from Google Artifact Registry (GAR) in GitLab CI/CD

Step 1: Activate a Google Cloud Service Account for Secure CI/CD on Linux

When working with cloud-native CI/CD pipelines or Dockerized workloads on Google Cloud Platform (GCP), you often need a service account to authenticate your scripts or tools like gcloud, Docker, or Terraform. In this post, we’ll walk through how to activate a service account using a JSON key file on a Linux machine — the foundational step to enabling automated, authenticated access to GCP resources.

This guide is particularly useful if:

  • You're running a self-hosted GitLab Runner
  • You want to pull private images from Google Artifact Registry
  • You need secure access to GCP from a server or VM

Step 1: Prerequisites
Before starting, make sure you have:

  • A Linux machine (e.g., GCP VM, local server)
  • gcloud CLI installed (see official docs if not)
  • A service account JSON key file, e.g.: 
escian-bb074f590610.json
Enter fullscreen mode Exit fullscreen mode

Your key name will be different from mine.

Place this file somewhere secure — for example:

/etc/gitlab-runner/escian-bb074f590610.json
Enter fullscreen mode Exit fullscreen mode

Don't put this on tmp folder because It gets wiped on reboot or by system cleanup jobs

Step 2: Activate the Service Account

Use the following command to activate your service account:

gcloud auth activate-service-account --key-file=/etc/gitlab-runner/escian-bb074f590610.json
Enter fullscreen mode Exit fullscreen mode

If successful, you'll see:

Activated service account credentials for: [your-service-account@your-project.iam.gserviceaccount.com]
Enter fullscreen mode Exit fullscreen mode

Your key file name will likely be different from mine. Adjust the path as needed.

How to Check Which User GitLab Runner Uses

ps -o user:20,pid,cmd -C gitlab-runner
Enter fullscreen mode Exit fullscreen mode

If you see something like this:

USER                 PID CMD
root                 435 /usr/bin/gitlab-runner run ...
Enter fullscreen mode Exit fullscreen mode

Then GitLab Runner is running as root, and you must activate and configure Docker as root.

To Auth as root, do this:

sudo su -
gcloud auth activate-service-account --key-file=/etc/gitlab-runner/your-key.json
gcloud auth configure-docker asia-southeast1-docker.pkg.dev
Enter fullscreen mode Exit fullscreen mode

This writes credentials to /root/.docker/config.json, where the runner (running as root) can access them.

In shot, Runner and Auth User Must Match

GitLab Runner uses the Docker config of the user it runs as. So you must activate the service account and run gcloud auth configure-docker as that same user.

Otherwise, your CI jobs will fail to pull private images — even though your manual tests "worked fine" under a different user.

Top comments (0)