Authenticate Docker with Google Artifact Registry (Private Repo) Using a Service Account

⚡ TL;DR: Want to push/pull private Docker images from Google Artifact Registry? Use a Google Cloud service account with docker login -u _json_key, then use the .docker/config.json for Kubernetes integration.

🧰 Prerequisites

Make sure you have the following:

• Docker installed locally or in your CI/CD agent
• Google Cloud SDK (gcloud)
• A private Artifact Registry (e.g. us-central1-docker.pkg.dev/<project>/<repo>)
• A service account with Artifact Registry Reader or Writer permissions

⚙️ Step 1: Create a Service Account Key

Create a key file to authenticate Docker later:

# Create a new key for your artifact registry service account gcloud iam service-accounts keys create key.json \ --iam-account=gar-access@<PROJECT_ID>.iam.gserviceaccount.com 

This will download a key.json file locally.

🔐 Step 2: Authenticate Docker with the Key

Use the service account to log in to your private Artifact Registry:

# Replace the region with your registry's location cat key.json | docker login -u _json_key --password-stdin https://us-central1-docker.pkg.dev 

This command updates your ~/.docker/config.json to include authentication for the private registry.

📁 What the Docker Config File Looks Like

After successful login, your ~/.docker/config.json will look like this:

{ "auths": { "https://us-central1-docker.pkg.dev": { "auth": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." // Base64 token } }, "currentContext": "colima" // As per your docker client } 

You can use this file:

• As a Kubernetes image pull secret
• In CI/CD pipelines
• For temporary access without gcloud

🚀 Use in CI/CD and Kubernetes

🧪 In CI/CD (GitHub Actions, GitLab, Jenkins, etc.)

You can use the same docker login step using the service account key during your pipeline execution.

📦 In Kubernetes

To use this config as a Kubernetes secret:

kubectl create secret generic regcred \ --from-file=.dockerconfigjson=$HOME/.docker/config.json \ --type=kubernetes.io/dockerconfigjson 

Reference it in your Deployment:

apiVersion: v1 kind: Pod metadata: name: private-reg spec: containers: - name: private-reg-container image: <your-private-image> imagePullSecrets: - name: regcred 

🔍 Verify the Setup

Once authenticated, verify the setup by building, tagging, and pushing an image to your private Artifact Registry.

🛠️ Build the Docker Image

docker build -t myapp:latest . #Replace myapp with your actual app name, and ensure your Dockerfile is in the current directory. 

🏷️ Tag the Image

docker tag myapp:latest us-central1-docker.pkg.dev/<project>/<repo>/myapp:latest #Replace <project> and <repo> with your actual GCP project ID and Artifact Registry repository. 

📤 Push the Image

docker push us-central1-docker.pkg.dev/<project>/<repo>/myapp:latest 

📥 Optionally, Pull to Confirm

docker pull us-central1-docker.pkg.dev/<project>/<repo>/myapp:latest 

If these steps complete without errors, your service account authentication and private registry access are working perfectly!

✅ Summary and References

• Use a Google Cloud service account with _json_key to securely access private Artifact Registry images.
• docker login will generate a valid config.json.
• Use that config for Kubernetes and CI/CD integration.
• No need for gcloud runtime dependencies in CI.

• 📘 Google Artifact Registry Authentication
• 🐳 Docker Credential Helpers
• ☸️ Kubernetes: Pull an Image from a Private Registry