OIDC for GCP GCR private image pulls
planned
N
Nick O'Keefe
When a project is configured to use OIDC, it should be possible to use these credentials to pull a privates image(s) from GCR when starting the executor. Users currently have to pass in a long-lived service account key (image attached).
OIDC can be setup for GCP (1), but private image pulls are not yet supported.
Activity Feed
Sort by

Nathan Fish
planned
We will be looking at what we can do to support GCP.
M
Marius Sturm
Our setup runs in a multi cloud environment, we need to be able to pull from both vendors. AWS and GCP should have feature parity. There is no good reason why OIDC works for AWS but not for GCP.

Benoît Sauvère
Because this is not possible today, we had to create a GCP Service Account key that is distributed to all the projects using CircleCI, with all the drawbacks it implies such as:
- almost impossible to rotate this credentials
- it can be stolen
- impossible to monitor who is accessing the registry

Mohamad Basel Zahed
This is very important for us in order to stop using the service account key. We have spent good amount of effort and time changing our configuration to use OIDC Federation for all our jobs and now we are stuck because pulling the image itself still requires the key :(

Owen Haynes
sort of a duplicate for https://ideas.circleci.com/cloud-feature-requests/p/openid-connect-docker-login
but seems circleci provides more support to AWS then GCP