Public | Automated Build

Last pushed: 2 years ago
Short Description
Update docker credentials to use GCR with the JWT token generation scheme.
Full Description

Google JWT Token

Create jwt tokens from json credentials attached to a Google service account.

Use the token to update a .dockercfg file to use docker with GCR but without the gcloud tool.

How To

Get the Credentials

  • Google Developers Console for a particular project
  • Section APIs and Auth > Credentials
  • Add Credentials to a Service Account of type json, save the file as auth-file.json

To just get a JWT token, scroll down to the documentation.
To refresh the docker auth file see below.

Use With Docker

docker run -v /location/to/auth-file.json:/token/auth-file.json -v /root/.dockercfg:/token/.dockercfg hasura/google-jwt-gcr-token

Use With CoreOS

systemd unit and timer to periodically refresh the docker auth file.

  - name: docker.service
    command: start
  - name: docker-credentials.service
    content: |
      Description=Update .dockercfg file with GCR credentials

      ExecStartPre=/usr/bin/mkdir -p /var/lib/kubelet
      ExecStartPre=/bin/touch /var/lib/kubelet/.dockercfg
      ExecStart=/usr/bin/docker run --rm -v=/location/to/auth-file.json:/token/auth-file.json -v=/var/lib/kubelet/.dockercfg:/token/.dockercfg --name=google_jwt_token hasura/google-jwt-gcr-token
      ExecStop=/bin/bash -c "/usr/bin/docker stop -t 2 google_jwt_token && /usr/bin/docker rm -f google_jwt_token || true"
  - name: docker-credentials.timer
    command: start
    content: |
      Description=Refresh docker GCR credentials every 50 minutes


As a Kubernetes Pod

The pangaea project is an example of how to run this docker in a pod, and make the Google json credentials file available as a Kubernetes secret. This allows Kubernetes to download images from a private Docker Google Cloud Registry.


Which .dockercfg

  • the old format
  • /var/lib/kubelet/.dockercfg for Kubernetes
  • $HOME/.dockercfg for docker auth. Expand this to a full path if you're putting it in the systemd file.

Environment Variable GOOGLE_JWT_SCOPES

  • variable GOOGLE_JWT_SCOPES is a space separated list of scopes
  • For example:

  • .dockercfg file mounted at /token/.dockercfg or at the location specified by environment variable DOCKER_CONFIG_FILE
    GCR credentials are merged into this file.
  • variable GOOGLE_JWT_SCOPES
    By default, this is set to the required scope for reading and writing to GCR.
    Refreshes the .dockercfg file every this many seconds
    By default, runs once then quits
  • google credentials json file at /token/auth-file.json or at the location specified by environment variable GOOGLE_SA_FILE

  • google credentials json file at /token/auth-file.json or at the location specified by environment variable GOOGLE_SA_FILE
  • variable GOOGLE_JWT_SCOPES
  • writes a jwt token to stdout


Put together by akshaya01 at 34cross

Released under the MIT license.

Ideas and issues are welcome.

Docker Pull Command