Kaniko and Google Container Registry without gcloud sdk and Docker

Today I was facing a challenge, we were creating an access token for Google Cloud’s IAM on a small micro service running on Cloud Run. The use case was a small token exchange service, that allowed to exchange a token from an application against an IAM access token.

In the next step I wanted to use this token in our Kaniko build to push a Docker image to my project’s Container Registry. But how can I provide the access token to Kaniko? The problem was made worse since the build agent I was running the build on didn’t have Docker installed itself.

Normally I would just call gcloud auth configure-docker. But since gcloud at the moment doesn’t support to provide an access token directly, I had to figure out another way to achieve my goal.

So I build a small workaround script, that creates a Docker configuration directly containing the access token, without the need to call gcloud auth configure-docker.
The GCR service expects the username and password combination provided in the Authorization header to contain gclouddockertoken as username and the access token as password. The following script takes those parameters, base64 encodes them and writes the configuration into the ˜/.docker/config.json directly.

Done, with this small workaround you can authenticate against GCR with your own token, without needing the Docker CLI or the Docker Daemon installed.
This approach should work with many tools in the Docker ecosystem that rely on the access configuration in the config.json.