OIDC for GCP GCR private image pulls
N
Nick O'Keefe
When a project is configured to use OIDC, it should be possible to use these credentials to pull a privates image(s) from GCR when starting the executor. Users currently have to pass in a long-lived service account key (image attached).
OIDC can be setup for GCP (1), but private image pulls are not yet supported.
Benoît Sauvère
Because this is not possible today, we had to create a GCP Service Account key that is distributed to all the projects using CircleCI, with all the drawbacks it implies such as:
- almost impossible to rotate this credentials
- it can be stolen
- impossible to monitor who is accessing the registry
Mohamad Basel Zahed
This is very important for us in order to stop using the service account key. We have spent good amount of effort and time changing our configuration to use OIDC Federation for all our jobs and now we are stuck because pulling the image itself still requires the key :(
Owen Haynes
sort of a duplicate for https://ideas.circleci.com/cloud-feature-requests/p/openid-connect-docker-login
but seems circleci provides more support to AWS then GCP