When a project is configured to use OIDC, it should be possible to use these credentials to pull a privates image(s) from GCR when starting the executor. Users currently have to pass in a long-lived service account key (image attached).
OIDC can be setup for GCP (1), but private image pulls are not yet supported.