ConfigurationRegistriesGAR
GAR (Google Artifact Registry)
The gar registry lets you configure Google Artifact Registry integration.
The gar registry lets you configure Google Artifact Registry integration for container registries under *-docker.pkg.dev.
Variables
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
DD_REGISTRY_GAR_{REGISTRY_NAME}_CLIENTEMAIL | ⚪ | Service Account Client Email (required for private images access) | See Service Account credentials | |
DD_REGISTRY_GAR_{REGISTRY_NAME}_PRIVATEKEY | ⚪ | Service Account Private Key (required for private images access) | See Service Account credentials |
Docker and Docker Compose action triggers use this same service-account configuration when they pull private GAR images during an update. No separate action-trigger auth setting is required.
Examples
Configure for authenticated access
services:
drydock:
image: codeswhat/drydock
...
secrets:
- gar_private_key
environment:
- DD_REGISTRY_GAR_PRIVATE_CLIENTEMAIL=johndoe@myproject.iam.gserviceaccount.com
- DD_REGISTRY_GAR_PRIVATE_PRIVATEKEY__FILE=/run/secrets/gar_private_key
secrets:
gar_private_key:
file: /path/to/gar-private-key.pemdocker run \
-v /path/to/gar-private-key.pem:/run/secrets/gar_private_key:ro \
-e DD_REGISTRY_GAR_PRIVATE_CLIENTEMAIL="johndoe@myproject.iam.gserviceaccount.com" \
-e DD_REGISTRY_GAR_PRIVATE_PRIVATEKEY__FILE="/run/secrets/gar_private_key" \
...
codeswhat/drydockKeep the private-key file outside the repository, restrict its permissions, and mount it read-only. The __FILE suffix loads the value from the mounted secret without placing the PEM in the Compose file, shell history, or container environment metadata.