Authenticate Docker with Google Artifact Registry (Private Repo) Using a Service Account

#docker #gcp #devops #kubernetes

⚡ TL;DR: Want to push/pull private Docker images from Google Artifact Registry? Use a Google Cloud service account with docker login -u _json_key, then use the .docker/config.json for Kubernetes integration.

🧰 Prerequisites

Make sure you have the following:

Docker installed locally or in your CI/CD agent
Google Cloud SDK (gcloud)
A private Artifact Registry (e.g. us-central1-docker.pkg.dev/<project>/<repo>)
A service account with Artifact Registry Reader or Writer permissions

⚙️ Step 1: Create a Service Account Key

Create a key file to authenticate Docker later:

# Create a new key for your artifact registry service account
gcloud iam service-accounts keys create key.json \
  --iam-account=gar-access@<PROJECT_ID>.iam.gserviceaccount.com

This will download a key.json file locally.

🔐 Step 2: Authenticate Docker with the Key

Use the service account to log in to your private Artifact Registry:

# Replace the region with your registry's location
cat key.json | docker login -u _json_key --password-stdin https://us-central1-docker.pkg.dev

This command updates your ~/.docker/config.json to include authentication for the private registry.

📁 What the Docker Config File Looks Like

After successful login, your ~/.docker/config.json will look like this:

{
  "auths": {
    "https://us-central1-docker.pkg.dev": {
      "auth": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."  // Base64 token
    }
  },
"currentContext": "colima" // As per your docker client
}

You can use this file:

As a Kubernetes image pull secret
In CI/CD pipelines
For temporary access without gcloud

🚀 Use in CI/CD and Kubernetes

🧪 In CI/CD (GitHub Actions, GitLab, Jenkins, etc.)

You can use the same docker login step using the service account key during your pipeline execution.

📦 In Kubernetes

To use this config as a Kubernetes secret:

kubectl create secret generic regcred \
  --from-file=.dockerconfigjson=$HOME/.docker/config.json \
  --type=kubernetes.io/dockerconfigjson

Reference it in your Deployment:

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: regcred

🔍 Verify the Setup

Once authenticated, verify the setup by building, tagging, and pushing an image to your private Artifact Registry.

🛠️ Build the Docker Image

docker build -t myapp:latest .
#Replace myapp with your actual app name, and ensure your Dockerfile is in the current directory.

🏷️ Tag the Image

docker tag myapp:latest us-central1-docker.pkg.dev/<project>/<repo>/myapp:latest
#Replace <project> and <repo> with your actual GCP project ID and Artifact Registry repository.

📤 Push the Image

docker push us-central1-docker.pkg.dev/<project>/<repo>/myapp:latest

📥 Optionally, Pull to Confirm

docker pull us-central1-docker.pkg.dev/<project>/<repo>/myapp:latest

If these steps complete without errors, your service account authentication and private registry access are working perfectly!

✅ Summary and References

Use a Google Cloud service account with _json_key to securely access private Artifact Registry images.
docker login will generate a valid config.json.
Use that config for Kubernetes and CI/CD integration.
No need for gcloud runtime dependencies in CI.