I need to setup a CI/CD pipeline with gcr.io as my container registry.
I use a Service Connection with the Docker ID _token and password from gcloud auth print-access-token to connect my pipeline agent to the registry.
However this token is short-lived. How can I create a permanent token ? Does gcr.io allow that ?
There are a number of authentication options presented on https://cloud.google.com/container-registry/docs/advanced-authentication. They tend to emphasize short-lived access, because otherwise:
If your goal in using a "permanent token" is performance related, there are many other areas to try boosting efficiency that are safer.
If you are already using the Access Token mechanism, you probably already have service account keys in your CI environment. If that service account has access to the container registry, you can use the JSON Key File authentication mechanism for a more "permanent" access.
Any privileges associated with this service account are at risk of leak to anyone that can copy the service account key out of the CI system. I like to base64 encode keys in CI to minimize the chance of accidentally display, though this does very little to deter deliberate theft.
