I'm trying to set up CI/CD with CircleCI and I'd like the base image of my pipelines to be a custom made CI/CD image which lives in Artifact Registry. I'm having trouble figuring out how to properly authenticate CircleCI when pulling the base image for a job.
I've looked at both the CirlceCI docs for authenticated pulls and the Artifact Registry docs for authentication and I can't figure out how to put the two puzzle pieces together. It seems CircleCI requires some sort of password or access-key while Artifact Registry requires either glcoud for direct docker configuration (gcloud auth configure-docker
) access token generation OR interactive docker logins (cat KEY-FILE | docker login -u KEY-TYPE --password-stdin \ https://LOCATION-docker.pkg.dev
).
How can I use a private docker image in Artifact Registry as the base for a job in CircleCI?
Figured it out:
GOOGLE_APPLICATIONS_CREDENTIALS
in CircleCI with the key made in step 1 docker:
- image: us-west1-docker.pkg.dev/<PROJECT>/<REPOSITORY>/<IMAGE>
auth:
username: _json_key
password: $GOOGLE_APPLICATION_CREDENTIALS
If you base64 encode your service account key, use _json_key_base64
as the username. Note that the password is the name of the secret we made in step 2.