How to pull OCI Bundles from Google Artifact Registry?

[xNok]

I am trying to figure out how to have an OPA server deployed in GKE (Kubernetes) fetch artefacts from the Google Artifact Registry.

I don't know what is required. Conftest and Oras use the docker credential configuration, which in turn relies on the docker-credential-helper GCP provides. That being said, the OPA server seems to have a different approach using service.

I see an example for AWS ECR, but nothing for GCP

credentials:
  s3_signing:
    service: "ecr"
    metadata_credentials:
      aws_region: us-east-1

I looked into the gcp-metadata credential part, but yet again I don't know how it can be used to authenticate. I initially expected it to call the metadata server and the workload identity, but that doesn't seem to be the case, as the call to the metadata server fails.

https://www.openpolicyagent.org/docs/latest/management-bundles/#gcp-metadata-token-authentication-1

I am hoping someone had done it previously or had some guidance on how that might work.

[xNok]

I ended up finding the trick, you need to specify scopes for this to work

services:
  gar-registry:
    url: https://us-docker.pkg.dev
    type: oci
    credentials:
      gcp_metadata:
        scopes:
          - https://www.googleapis.com/auth/cloud-platform

[anderseknert]

Thanks for sharing your solution!