Alternative means off authenticating GCP registry

Question

So I am trying to get a list of images from GCP Container Registry. This HTTP API call works fine:

## generate token and save it
export TOKEN=$(gcloud auth print-access-token) ## just to get a token

## make a call
curl -u "oauth2accesstoken:$TOKEN" https://gcr.io/v2/yourProject/yourImage/tags/list 

However that workflow is problematic because TOKEN changes as gcloud generates it and for reasons I can't have gcloud as a dependency. Is there any way to authenticate a call like this above with a stable TOKEN/API KEY/ENV VAR? I like to be able to have a key that always works to deploy.

Answer 1

By default, access tokens are good for 1 hour (3,600 seconds). When the access token has expired, you must need to get a new token. The purpose of using short-lived tokens helps you implement the principle of least privilege across your identities and resources.

However you can use the 2 workaround:

1. Use a Service Account which will generate a JSON key file does not expire. Service account keys can become a security risk if not managed carefully. You can check this documentation for best practices for managing service account keys.

2. You can also extend the maximum lifetime to 12 hours.

Identify the service accounts that need an extended lifetime for access tokens, then add these service accounts to an organization policy that includes the constraints/iam.allowServiceAccountCredentialLifetimeExtension list constraint.

Answer 2

See GCR Authentication methods.

If you don't want to depend on gcloud, you have 2 options:

1. Service Account key.
2. Standalone (no gcloud) Credential helper.

In both cases you'll probably (!?) need to create a Service Account and keep the key accessible to the method you choose but be aware that using keys reduces security.

In some cases, you can use Workload Identity Federation which federates e.g. GitHub credentials with a Google identity and avoids the need to generate a Service Account key.