I am trying to run a Gitlab CI job using an image from a private GCP Artifact Registry, i.e.:
build job:
stage: build_job
image: toto-tata-docker.pkg.dev/my-gcp/my-project/my-image:${IMAGE_VERSION}
variables:
...
I have read in many places, including in GitLab doc that using a DOCKER_AUTH_CONFIG CI/CD variable could do the trick, and it is suggested to use
docker login toto-tata-docker.pkg.dev --username my_username --password my_password
and copy whatever is in ~/.docker/config.json after that.
Now my problem is that I am using a service account to authenticate into that AR, and I have no idea how to find the username and password necessary to generate the "right" ~/.docker/config.json.... :'(
I tried using a Credential Helper as suggested in GCP doc (that is actually what my ~/.docker/config.json looks like on my laptop when I docker login with the service account key):
{
"credHelpers": {
"toto-tata-docker.pkg.dev": "gcloud",
}
}
but the job fails because of a denied permission:
...
denied: Permission "artifactregistry.repositories.downloadArtifacts" denied on reso
...
It would be awesome if anyone could advise !!
Thank you !!
