How could we authenticate with a service account key with image-syncer?
pakkeiC opened this issue · 3 comments
To give you more context of my problem, we are trying to sync image between the cloud registry and our on-prem registry. For the cloud registry, we need to authenticate with a service account which has no password, only the service account key json.
How could we authenticate using image syncer for this case? Should we paste the service account key json to the password field? I tried to do so, but seems it is not possible and not a good way.
Kindly seek your help on that. Thank you!
my question is actually same as the next question. My use case is to sync the gcr.io to a on-prem nexus registry. And for the service account in gcr.io, it use service account key json to authenticate to the registry. How could we achieve that in image-syncer? Thanks!
As a tool image synchronization for more scenarios, it's hard for image-syncer to adapter to all kinds of registry, because there are so many different ways to authenticate. But for now, I do believe username/password is the most general authenticating way for all registries.
For GCR, maybe this doc can get you a little help, https://cloud.google.com/container-registry/docs/advanced-authentication
I had the same situation, wanted to sync images from an internal registry to Google Cloud registry at eu.gcr.io.
While the service account token failed (I tried "_json_token" as user and the service account token as password), it was possible to synchronize using a temporary token (then using "oauth2accesstoken" as user and the temp token as password).
This workaround is possible, but not so nice. A temp token is only valid for 60 minutes.
It would be nice, if image-syncer creates the temp services from the service account credentials, using the Google API.
This is implemented for example in dregsy (https://github.com/xelalexv/dregsy, https://github.com/xelalexv/dregsy/blob/master/internal/pkg/auth/gcr.go),