Skip to content

Google Container Registry

GCRAccessToken creates a GCP Access token that can be used to authenticate with GCR in order to pull OCI images. You won't need any extra permissions to request for a token, but the token would only work against a GCR if the token requester (service Account or WI) has the appropriate access

You must specify the spec.projectID in which GCR is located.

Output Keys and Values

Key Description
username username for the docker login command.
password password for the docker login command.
expiry time when token expires in UNIX time (seconds since January 1, 1970 UTC).

Authentication

Workload Identity

Use spec.auth.workloadIdentity to point to a Service Account that has Workload Identity enabled. For details see GCP Secret Manager.

GCP Service Account

Use spec.auth.secretRef to point to a Secret that contains a GCP Service Account. For details see GCP Secret Manager.

Example Manifest

apiVersion: generators.external-secrets.io/v1alpha1
kind: GCRAccessToken
spec:
  # project where gcr lives in
  projectID: ""

  # choose authentication strategy
  auth:
    # option 1: workload identity
    workloadIdentity:
      # point to the workload identity
      # service account
      serviceAccountRef:
        name: ""
        audiences: []
      # the cluster can live in a different project or location
      # use the following fields to configure where the cluster lives
      clusterLocation: ""
      clusterName: ""
      clusterProjectID: ""


    # option 2: GCP service account
    secretRef:
      secretAccessKeySecretRef:
        name: ""
        key: ""