OIDC for GCP GCR private image pulls | Feature Requests

OIDC for GCP GCR private image pulls

planned

Nick O'Keefe

When a project is configured to use OIDC, it should be possible to use these credentials to pull a privates image(s) from GCR when starting the executor. Users currently have to pass in a long-lived service account key (image attached).
OIDC can be setup for GCP (1), but private image pulls are not yet supported.
(1) https://circleci.com/docs/openid-connect-tokens/#google-cloud-platform

September 11, 2023

Nathan Fish

marked this post as

planned

We will be looking at what we can do to support GCP.

Marius Sturm

Our setup runs in a multi cloud environment, we need to be able to pull from both vendors. AWS and GCP should have feature parity. There is no good reason why OIDC works for AWS but not for GCP.

Benoît Sauvère

Because this is not possible today, we had to create a GCP Service Account key that is distributed to all the projects using CircleCI, with all the drawbacks it implies such as:

almost impossible to rotate this credentials
it can be stolen
impossible to monitor who is accessing the registry

Mohamad Basel Zahed

This is very important for us in order to stop using the service account key. We have spent good amount of effort and time changing our configuration to use OIDC Federation for all our jobs and now we are stuck because pulling the image itself still requires the key :(

Owen Haynes

sort of a duplicate for https://ideas.circleci.com/cloud-feature-requests/p/openid-connect-docker-login

but seems circleci provides more support to AWS then GCP