How To Pull The Images on GCP Artifact Registry From On-premise K8S

To access Google Cloud Platform (GCP) Artifact Registry from a local Kubernetes cluster using a service account key file, you need to follow these steps:

  1. Create a GCP Service Account and Key File
  2. Create a Kubernetes Secret with the Service Account Key
  3. Configure Your Kubernetes Deployment to Use the Secret
  4. Pull Images from Artifact Registry

Step-by-Step Guide

1. Create a GCP Service Account and Key File

  1. Create the Service Account:
   gcloud iam service-accounts create my-service-account --display-name "My Service Account"
  1. Grant the Necessary Roles to the Service Account:
   gcloud projects add-iam-policy-binding <YOUR-PROJECT-ID> \
       --member="serviceAccount:my-service-account@<YOUR-PROJECT-ID>" \
Replace <YOUR-PROJECT-ID> with your GCP project ID.

  1. Create and Download the Key File:
   gcloud iam service-accounts keys create key.json \
       --iam-account my-service-account@<YOUR-PROJECT-ID>
2. Create a Kubernetes Secret with the Service Account Key

  1. Create the Secret:
   kubectl create secret docker-registry gcp-artifact-registry \ \
       --docker-username=_json_key \
       --docker-password="$(cat key.json)" \
  • LOCATION with the location of your Artifact Registry (e.g., us-central1).
  • with your email.

3. Configure Your Kubernetes Deployment to Use the Secret

Update your Kubernetes deployment YAML to reference the secret for pulling images.

  1. Update Deployment YAML:
   apiVersion: apps/v1
   kind: Deployment
     name: my-app
     replicas: 1
         app: my-app
           app: my-app
         - name: my-app
           - containerPort: 8080
         - name: gcp-artifact-registry
Replace the placeholders:

  • LOCATION with your Artifact Registry location (e.g., us-central1).
  • PROJECT-ID with your GCP project ID.
  • REPOSITORY with the name of your repository.
  • IMAGE:TAG with the specific image and tag you want to use.
  1. Apply the Deployment:
   kubectl apply -f deployment.yaml
4. Verify the Setup

  1. Check the Deployment Status:
   kubectl get pods
  1. Describe a Pod to Verify Image Pull:
   kubectl describe pod <POD-NAME>
Look for the events section to see if the image was pulled successfully.


By following these steps, you configure your local Kubernetes cluster to authenticate with GCP Artifact Registry using a service account key file. This involves creating a service account and key, storing the key as a Kubernetes secret, and updating your deployments to use the secret for image pulls. This setup ensures secure and efficient access to your container images stored in GCP Artifact Registry.


