The Problem

Gitlab offers its own Docker Container Registry and using own Builder Images and pushing Images as a result of your pipelines is straight forward.

It is not straight forward if you work with Google Container Registry. In this post I will show you how to get this done.

The Solution

Custom Builder Containers


  1. Create Service account with no permissions in IAM & Admin
  2. Download Json Key
  3. Add Permissions in Storage Browser
    1. Select bucket holding your images (eg
    2. Grant permission Storage Object Admin to the service account

Local Docker Container

  1. Launch a library/docker container and exec into it (with Docker Wormhole Pattern docker.sock volume mount)
  2. Login into GCR via (Check the url of your repo, in my case its located in Europe, therefore the eu prefix in the url)
    docker login -u _json_key --password-stdin < /etc/gitlab-runner/<MY_KEY>.json
  3. Verify if it works via some docker pull <MY_GCR_IMAGE>
  4. Copy the content of ~/.docker/config.json

Gitlab config.toml configuration

  1. Add the following into your config.toml file
      environment = ["DOCKER_AUTH_CONFIG={ \"auths\": { \"\": { \"auth\": \"<TOKEN-FROM-DOCKER-CONFIG-FILE>\" } } }"]

Vanilla Gitlab Runner Container

  1. Run the runner eg like this
    docker run -it \
    --name gitlab-runner \
    --rm \
    -v /var/run/docker.sock:/var/run/docker.sock \

Your .gitlab-ci.yml file

  1. Verify the done work via a .gitlab-ci.yml
  2. Make use of a Builder Image which is located in your private GCR

Push custom images


  1. Add permissions to your service account
    1. Grant permission Storage Legacy Bucket Reader to your service account in the ` Storage Browser`

Custom Docker Builder Image

  1. Add your Service Account Key file to your custom Builder Image via the Dockerfile
    FROM docker:18.03.1-ce
    ADD key.json /<MY_KEY>.json

Your .gitlab-ci.yml file

  1. Add the following to your jobs
      docker login -u _json_key --password-stdin < /key.json