{"id":76919,"date":"2025-03-18T08:00:00","date_gmt":"2025-03-17T23:00:00","guid":{"rendered":"https:\/\/www.creationline.com\/tech-blog\/?p=76919"},"modified":"2025-03-17T18:43:01","modified_gmt":"2025-03-17T09:43:01","slug":"gitlab-ci%e3%81%a8google-artifact-registry%e3%82%92workload-identity%e9%80%a3%e6%90%ba%e3%81%97%e3%82%88%e3%81%86-gitlab-googlecloud-oidc-docker-kaniko-terraform-opentofu","status":"publish","type":"post","link":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919","title":{"rendered":"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">\u306f\u3058\u3081\u306b<\/h2>\n\n\n\n<p>Docker\u30a4\u30e1\u30fc\u30b8\u3092<a href=\"https:\/\/about.gitlab.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">GitLab<\/a>\u306e<a href=\"https:\/\/docs.gitlab.com\/ci\/\" target=\"_blank\" rel=\"noreferrer noopener\">CI<\/a>\u3067\u30d3\u30eb\u30c9\u3057\u3001<a href=\"https:\/\/cloud.google.com\/artifact-registry\/docs?hl=ja\" target=\"_blank\" rel=\"noreferrer noopener\">Google Artifact Registry<\/a>\u306b\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u72b6\u6cc1\u3092\u8003\u3048\u3066\u307f\u307e\u3057\u3087\u3046\u3002\u3053\u3053\u3067\u554f\u984c\u306b\u306a\u3063\u3066\u304f\u308b\u306e\u306f\u300cGitLab CI\u304b\u3089Artifact Registry\u306b\u81ea\u52d5\u30ed\u30b0\u30a4\u30f3\u3059\u308b\u306b\u306f\u3001\u3069\u3046\u3057\u305f\u3089\u3044\u3044\u306e\u304b\uff1f\u300d\u3068\u3044\u3046\u3053\u3068\u3067\u3059\u3002<\/p>\n\n\n\n<p>\u7d20\u6734\u306b\u8003\u3048\u308b\u3068Google Cloud\u5074\u3067<a href=\"https:\/\/cloud.google.com\/iam\/docs\/service-account-creds?hl=ja#user-managed-keys\" target=\"_blank\" rel=\"noreferrer noopener\">\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u30ad\u30fc<\/a>\u3092\u4f5c\u6210\u3057\u3001GitLab\u5074\u306b\u4fdd\u5b58\u3057\u3066\u4f7f\u7528\u3059\u308b\u3068\u601d\u3044\u307e\u3059\u3002\u3057\u304b\u3057\u3001\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u30ad\u30fc\u3068\u3044\u3046\u5f37\u529b\u306a\u8a8d\u8a3c\u60c5\u5831\u3092Google Cloud\u5916\u306b\u6301\u3061\u51fa\u3057\u3066\u4fdd\u5b58\u3059\u308b\u3053\u3068\u306b\u306f\u3001\u6f0f\u6d29\u306e\u5fc3\u914d\u304c\u3064\u304d\u307e\u3068\u3044\u307e\u3059\u3002\u9375\u3092\u30ed\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3\u3059\u308b\u306b\u3057\u3066\u3082\u3001\u6f0f\u6d29\u306e\u88ab\u5bb3\u3092\u3042\u308b\u7a0b\u5ea6\u8efd\u6e1b\u3059\u308b\u3082\u306e\u3067\u306f\u3042\u3063\u3066\u3082\u6f0f\u6d29\u305d\u306e\u3082\u306e\u3092\u9632\u3050\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n\n\n\n<p>\u305d\u3053\u3067GitLab\u3068Google Cloud\u3092<a href=\"https:\/\/cloud.google.com\/iam\/docs\/workload-identity-federation?hl=ja\" target=\"_blank\" rel=\"noreferrer noopener\">Workload Identity \u9023\u643a<\/a>\u3057\u3001\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u30ad\u30fc\u306e\u4ee3\u308f\u308a\u306b<a href=\"https:\/\/cloud.google.com\/iam\/docs\/create-short-lived-credentials-direct?hl=ja\" target=\"_blank\" rel=\"noreferrer noopener\">\u6709\u52b9\u671f\u9593\u306e\u77ed\u3044\u8a8d\u8a3c\u60c5\u5831<\/a>\u3092\u7528\u3044\u308b\u3053\u3068\u306b\u3057\u3066\u307f\u307e\u3057\u3087\u3046\u3002\u672c\u7a3f\u3067\u306f <a href=\"https:\/\/opentofu.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenTofu<\/a> (\u4e43\u81f3 <a href=\"https:\/\/www.terraform.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Terraform<\/a>) \u3067\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u524d\u63d0\u6761\u4ef6<\/h2>\n\n\n\n<p>\u4eca\u56de\u306f\u30bb\u30eb\u30d5\u30db\u30b9\u30c8\u578b GitLab \u3068\u3057\u307e\u3059\u3002\u5f8c\u8ff0\u3057\u307e\u3059\u304c <a href=\"https:\/\/docs.gitlab.com\/ci\/yaml\/\" target=\"_blank\" rel=\"noreferrer noopener\">.gitlab-ci.yml<\/a> \u3068 <a href=\"https:\/\/docs.gitlab.com\/ci\/variables\/\" target=\"_blank\" rel=\"noreferrer noopener\">CI\/CD\u5909\u6570<\/a> \u3057\u304b\u4f7f\u3063\u3066\u3044\u306a\u3044\u305f\u3081\u3001\u30de\u30cd\u30fc\u30b8\u30c9 GitLab \u3067\u3082\u52d5\u304f\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>URL : <code>gitlab.example.com\/group-name\/project-1<\/code><\/li>\n\n\n\n<li>\u30d7\u30ed\u30b8\u30a7\u30af\u30c8ID: <code>12345<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u304c\u30ec\u30dd\u30b8\u30c8\u30ea\u306eURL\u3068\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<p>Google Cloud\u5074\u3082Artifact Registry\u306a\u3069\u6700\u4f4e\u9650\u306e\u8a2d\u5b9a\u306f\u3067\u304d\u3066\u3044\u308b\u3082\u306e\u3068\u3057\u307e\u3059\u3002\u3053\u3053\u3067\u306f\u3001<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u540d: <code>example-name<\/code><\/li>\n\n\n\n<li>\u30d7\u30ed\u30b8\u30a7\u30af\u30c8ID: <code>example-id<\/code><\/li>\n\n\n\n<li>\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u756a\u53f7: <code>112233445566<\/code><\/li>\n\n\n\n<li>\u30ea\u30fc\u30b8\u30e7\u30f3: <code>us-central1<\/code> (\u30a2\u30a4\u30aa\u30ef)<\/li>\n<\/ul>\n\n\n\n<p>\u3068\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Workload Identity\u9023\u643a\u306e\u8a2d\u5b9a<\/h2>\n\n\n\n<p><a href=\"https:\/\/opentofu.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenTofu<\/a> (\u4e43\u81f3 <a href=\"https:\/\/www.terraform.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">Terraform<\/a>) \u3067\u8a2d\u5b9a\u3057\u307e\u3059\u3002\u7121\u95a2\u4fc2\u306a\u90e8\u5206\u306b\u95a2\u3057\u3066\u306f\u7701\u7565\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Workload Identity\u30d7\u30fc\u30eb<\/h3>\n\n\n\n<p>Google Cloud\u306e\u5916\u90e8\u306b\u3042\u305f\u308b GitLab \u306eID\u3092\u7ba1\u7406\u3059\u308b\u305f\u3081\u306e<a href=\"https:\/\/cloud.google.com\/iam\/docs\/workload-identity-federation?hl=ja#pools\" target=\"_blank\" rel=\"noreferrer noopener\">Workload Identity\u30d7\u30fc\u30eb<\/a>\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">resource \"google_iam_workload_identity_pool\" \"this\" {\n  workload_identity_pool_id = \"pool\"\n}<\/pre>\n\n\n\n<p><a href=\"https:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs\/resources\/iam_workload_identity_pool\" target=\"_blank\" rel=\"noreferrer noopener\">google_iam_workload_identity_pool<\/a> \u3082\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Workload Identity\u30d7\u30fc\u30eb\u30d7\u30ed\u30d0\u30a4\u30c0<\/h3>\n\n\n\n<p>Google Cloud \u3068 Workload Identity \u30d7\u30fc\u30eb\u306e\u95a2\u4fc2\u3092\u8a18\u8ff0\u3059\u308b<a href=\"https:\/\/cloud.google.com\/iam\/docs\/workload-identity-federation?hl=ja#providers\" target=\"_blank\" rel=\"noreferrer noopener\">Workload Identity\u30d7\u30fc\u30eb\u30d7\u30ed\u30d0\u30a4\u30c0<\/a>\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">resource \"google_iam_workload_identity_pool_provider\" \"this\" {\n  workload_identity_pool_id = google_iam_workload_identity_pool.this.workload_identity_pool_id\n  workload_identity_pool_provider_id = \"pool-provider\"\n\n  oidc {\n    allowed_audiences = [\"https:\/\/gitlab.example.com\"]\n    issuer_uri = \"https:\/\/gitlab.example.com\/\"\n  }\n\n  attribute_mapping = {\n    \"google.subject\"           = \"assertion.sub\",\n    \"attribute.aud\"            = \"assertion.aud\",\n    \"attribute.project_path\"   = \"assertion.project_path\",\n    \"attribute.project_id\"     = \"assertion.project_id\",\n    \"attribute.namespace_id\"   = \"assertion.namespace_id\",\n    \"attribute.namespace_path\" = \"assertion.namespace_path\",\n    \"attribute.user_email\"     = \"assertion.user_email\",\n    \"attribute.ref\"            = \"assertion.ref\",\n    \"attribute.ref_type\"       = \"assertion.ref_type\",\n  }\n}<\/pre>\n\n\n\n<p><a href=\"https:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs\/resources\/iam_workload_identity_pool_provider#nested_oidc\" target=\"_blank\" rel=\"noreferrer noopener\">oidc<\/a>\u30d6\u30ed\u30c3\u30af\u3067 <a href=\"https:\/\/developers.google.com\/identity\/openid-connect\/openid-connect?hl=ja\" target=\"_blank\" rel=\"noreferrer noopener\">OpenID Connect<\/a>\u306e\u8a2d\u5b9a\u3092\u884c\u3063\u3066\u3044\u307e\u3059\u3002 <code>issuer_uri<\/code> \u3067\u30c8\u30fc\u30af\u30f3\u767a\u884c\u8005\u306eURL\u3092\u6307\u5b9a\u3057\u3001 <code>allowed_audiences<\/code> \u3067\u30c8\u30fc\u30af\u30f3\u306e <code>aud<\/code> \u30d5\u30a3\u30fc\u30eb\u30c9\u3067\u8a31\u53ef\u3059\u308b\u5024\u3092\u6307\u5b9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>oidc {<br>  allowed_audiences = [\"https:\/\/gitlab.example.com\"]<br>  issuer_uri = \"https:\/\/gitlab.example.com\/\"<br>}<\/p>\n<\/blockquote>\n\n\n\n<p>\u3053\u3053\u3067\u306f\u767a\u884c\u8005\u306f\u30bb\u30eb\u30d5\u30db\u30b9\u30c8 GitLab (\u30b9\u30e9\u30c3\u30b7\u30e5\u3067\u7d42\u308f\u308b\u3053\u3068)\u3067\u3001aud (audience, \u30c8\u30fc\u30af\u30f3\u306e\u767a\u884c\u3092\u53d7\u3051\u308b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8) \u3082\u3084\u306f\u308a\u30bb\u30eb\u30d5\u30db\u30b9\u30c8 GitLab (\u4eca\u5ea6\u306f\u30b9\u30e9\u30c3\u30b7\u30e5\u3092\u53d6\u308a\u9664\u304f\u3053\u3068)\u3067\u3059\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs\/resources\/iam_workload_identity_pool_provider#attribute_mapping-1\" target=\"_blank\" rel=\"noreferrer noopener\">attribute_mapping<\/a> \u3067\u5916\u90e8\u306eID\u30d7\u30ed\u30d0\u30a4\u30c0\u304b\u3089\u767a\u884c\u3055\u308c\u305f\u8a8d\u8a3c\u60c5\u5831\u306e\u5c5e\u6027\u3092\u3001Google Cloud\u306e\u5c5e\u6027\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>attribute_mapping = {<br>  \"google.subject\" = \"assertion.sub\",<br>  \"attribute.aud\" = \"assertion.aud\",<br>  \"attribute.project_path\" = \"assertion.project_path\",<br>  \"attribute.project_id\" = \"assertion.project_id\",<br>  \"attribute.namespace_id\" = \"assertion.namespace_id\",<br>  \"attribute.namespace_path\" = \"assertion.namespace_path\",<br>  \"attribute.user_email\" = \"assertion.user_email\",<br>  \"attribute.ref\" = \"assertion.ref\",<br>  \"attribute.ref_type\" = \"assertion.ref_type\",<br>}<\/p>\n<\/blockquote>\n\n\n\n<p>\u3053\u3053\u3067\u306f\u307e\u305a GitLab \u304c\u767a\u884c\u3057\u305f <code>assertion.sub<\/code> \u3092 Google Cloud \u306e <code>google.subject<\/code> \u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u308c\u4ee5\u5916\u304c\u96e3\u3057\u304f\u2026 <a href=\"https:\/\/docs.gitlab.com\/ci\/cloud_services\/google_cloud\/#create-a-workload-identity-provider\" target=\"_blank\" rel=\"noreferrer noopener\">Create a Workload Identity Provider<\/a> \u3092\u898b\u3066\u3082 <code>attribute.X<\/code> = <code>assertion.X<\/code> (You must map every attribute that you want to use for permission granting.) \u3068\u3057\u304b\u66f8\u3044\u3066\u306a\u304f\u3066\u30ba\u30d0\u30ea\u4f55\u3092\u6307\u5b9a\u3057\u305f\u3089\u3044\u3044\u306e\u304b\u308f\u304b\u308a\u307e\u305b\u3093\u2026\u3002<\/p>\n\n\n\n<p>\u3055\u3089\u306b\u8aad\u307f\u9032\u3081\u308b\u3068 <a href=\"https:\/\/docs.gitlab.com\/ci\/secrets\/id_token_authentication\/#token-payload\" target=\"_blank\" rel=\"noreferrer noopener\">OpenID Connect (OIDC) Authentication Using ID Tokens<\/a> \u306b X \u304c\u8f09\u3063\u3066\u3044\u307e\u3059\u3002\u3055\u3089\u306b\u5177\u4f53\u7684\u306a\u30de\u30c3\u30d4\u30f3\u30b0\u306f <a href=\"https:\/\/gitlab.com\/guided-explorations\/gcp\/configure-openid-connect-in-gcp\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenID Connect In Google Cloud<\/a> \u3084 <a href=\"https:\/\/docs.gitlab.com\/integration\/google_cloud_iam\/#with-the-google-cloud-cli\" target=\"_blank\" rel=\"noreferrer noopener\">Google Cloud Workload Identity Federation and IAM policies<\/a> \u306b\u3082\u3042\u308a\u307e\u3059\u3002\u3069\u3061\u3089\u3082\u9055\u3046\u3088\u3046\u3067\u3059\u304c\u2026\u3002\u5148\u306e\u6587\u3092\u8aad\u3080\u3068\u3001\u8a31\u53ef\u3059\u308b\u6761\u4ef6\u306b\u4f7f\u3044\u305f\u3044\u5c5e\u6027\u3092\u66f8\u304f\u3088\u3046\u3067\u3059\u3002\u3072\u3068\u307e\u305a\u30ec\u30dd\u30b8\u30c8\u30ea\u306e\u307b\u3046\u3092\u62dd\u501f\u3055\u305b\u3066\u3082\u3089\u3046\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs\/resources\/iam_workload_identity_pool_provider\" target=\"_blank\" rel=\"noreferrer noopener\">google_iam_workload_identity_pool_provider<\/a> \u3082\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8<\/h3>\n\n\n\n<p>Artifact Registry \u306b Docker \u30a4\u30e1\u30fc\u30b8\u3092\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u6a29\u9650 <a href=\"https:\/\/cloud.google.com\/artifact-registry\/docs\/access-control?hl=ja#roles\" target=\"_blank\" rel=\"noreferrer noopener\">roles\/artifactregistry.writer<\/a> \u3092\u6301\u3063\u305f\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">resource \"google_service_account\" \"gitlab\" {\n  project    = google_artifact_registry_repository.this.project\n  account_id = \"${var.project_name}-sa-gitlab\"\n}\n\nresource \"google_artifact_registry_repository_iam_member\" \"gitlab\" {\n  project    = google_artifact_registry_repository.this.project\n  location   = google_artifact_registry_repository.this.location\n  repository = google_artifact_registry_repository.this.name\n  role       = \"roles\/artifactregistry.writer\"\n  member     = \"serviceAccount:${google_service_account.gitlab.email}\"\n}<\/pre>\n\n\n\n<p>\u3053\u308c\u3067\u4f5c\u6210\u3055\u308c\u305f\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u306e\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u306f\u3053\u3053\u3067\u306f <code>example-name-sa-gitlab@example-id.iam.gserviceaccount.com<\/code> \u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs\/resources\/google_service_account\" target=\"_blank\" rel=\"noreferrer noopener\">google_service_account<\/a> \u3068 <a href=\"https:\/\/registry.terraform.io\/providers\/hashicorp\/google\/latest\/docs\/resources\/artifact_registry_repository_iam\" target=\"_blank\" rel=\"noreferrer noopener\">google_artifact_registry_repository_iam_member<\/a> \u3082\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u306e\u6a29\u9650\u501f\u7528<\/h3>\n\n\n\n<p><a href=\"https:\/\/cloud.google.com\/iam\/docs\/service-account-permissions?hl=ja#workload-identity-user\" target=\"_blank\" rel=\"noreferrer noopener\">roles\/iam.workloadIdentityUser<\/a> \u30ed\u30fc\u30eb\u3092\u6301\u3064\u30d7\u30ea\u30f3\u30b7\u30d1\u30eb\u306f\u3001\u6307\u5b9a\u3057\u305f\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\uff08\u5f8c\u8ff0\uff09\u306e\u6a29\u9650\u3092\u501f\u7528\u3067\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">resource \"google_project_iam_member\" \"workload_identity_user\" {\n  project = google_artifact_registry_repository.this.project\n  role = \"roles\/iam.workloadIdentityUser\"\n  member = \"principalSet:\/\/iam.googleapis.com\/projects\/${data.google_project.project.number}\/locations\/global\/workloadIdentityPools\/${google_iam_workload_identity_pool.this.workload_identity_pool_id}\/attribute.project_id\/${var.gitlab_project_id}\"\n}<\/pre>\n\n\n\n<p>\u3053\u3053\u3067\u306fGitLab\u306e\u30d7\u30ed\u30b8\u30a7\u30af\u30c8ID\u306e <code>12345<\/code> \u3092 OpenTofu (Terraform) \u306e\u30ed\u30fc\u30ab\u30eb\u5909\u6570 <code>var.gitlab_project_id<\/code> \u3067\u53c2\u7167\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3066\u3042\u308a\u3001\u3053\u308c\u306b\u4e00\u81f4\u3059\u308b\u3082\u306e\u306e\u307f\u306b\u5236\u9650\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/cloud.google.com\/iam\/docs\/workload-identity-federation?hl=ja#principal-types\" target=\"_blank\" rel=\"noreferrer noopener\">\u30d7\u30ea\u30f3\u30b7\u30d1\u30eb\u30bf\u30a4\u30d7<\/a>\u3082\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">GitLab \u306e\u8a2d\u5b9a<\/h2>\n\n\n\n<p>\u6b21\u306f GitLab \u5074\u306e\u8a2d\u5b9a\u3092\u884c\u3063\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CI\/CD \u5909\u6570\u8a2d\u5b9a<\/h3>\n\n\n\n<p>Google Cloud\u306b\u3066\u30ea\u30bd\u30fc\u30b9\u3092\u4f5c\u6210\u6e08\u307f\u3067\u3001\u305d\u308c\u3089\u304b\u3089\u5024\u3092\u5f97\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>ARTIFACT_REGISTRY<\/code> : <code>us-central1-docker.pkg.dev<\/code>\n<ul class=\"wp-block-list\">\n<li>Artifact Registry \u306e Docker \u30b3\u30f3\u30c6\u30ca\u30ec\u30b8\u30b9\u30c8\u30ea\u30db\u30b9\u30c8\u3067\u3059\u3002\u8a2d\u5b9a\u3055\u308c\u305f\u3082\u306e\u3092\u4f7f\u3063\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>GCP_PROJECT_NAME<\/code> : <code>example-name<\/code>\n<ul class=\"wp-block-list\">\n<li>Google Cloud\u306e\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u540d\u3067\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>GCP_PROJECT_ID<\/code> : <code>example-id<\/code>\n<ul class=\"wp-block-list\">\n<li>Google Cloud\u306e\u30d7\u30ed\u30b8\u30a7\u30af\u30c8ID\u3067\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>GCP_PROJECT_NUMBER<\/code> : <code>112233445566<\/code>\n<ul class=\"wp-block-list\">\n<li>Google Cloud\u306e\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u756a\u53f7\u3067\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>GCP_SERVICEACCOUNT_EMAIL<\/code> : <code>example-name-sa-gitlab@example-id.iam.gserviceaccount.com<\/code>\n<ul class=\"wp-block-list\">\n<li>Google Cloud\u306b\u4f5c\u6210\u3057\u305f\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u3059\u3002GitLab \u304b\u3089\u306f\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u501f\u7528\u3059\u308b\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>GCP_WORKLOAD_POOL_ID<\/code> : <code>pool<\/code>\n<ul class=\"wp-block-list\">\n<li>Google Cloud\u306eWorkload Identity\u30d7\u30fc\u30ebID\u3067\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>GCP_WORKLOAD_PROVIDER_ID<\/code> : <code>pool-provider<\/code>\n<ul class=\"wp-block-list\">\n<li>Google Cloud\u306eWorkload Identity\u30d7\u30fc\u30eb\u30d7\u30ed\u30d0\u30a4\u30c0ID\u3067\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><code>.gitlab-ci.yml<\/code><\/h3>\n\n\n\n<p>\u6b21\u306e\u8a2d\u5b9a\u3068\u3057\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">stages:\n  - build\n\nbuild:\n  stage: build\n  image:\n    name: gcr.io\/kaniko-project\/executor:v1.23.2-debug\n    entrypoint: [\"\"]\n  id_tokens:\n    GCP_ID_TOKEN:\n      aud: https:\/\/gitlab.example.com\n  script:\n    - |\n      PAYLOAD=\"$(cat &lt;&lt;EOF\n      {\n        \"audience\": \"\/\/iam.googleapis.com\/projects\/$GCP_PROJECT_NUMBER\/locations\/global\/workloadIdentityPools\/$GCP_WORKLOAD_POOL_ID\/providers\/$GCP_WORKLOAD_PROVIDER_ID\",\n        \"grantType\": \"urn:ietf:params:oauth:grant-type:token-exchange\",\n        \"requestedTokenType\": \"urn:ietf:params:oauth:token-type:access_token\",\n        \"scope\": \"https:\/\/www.googleapis.com\/auth\/cloud-platform\",\n        \"subjectTokenType\": \"urn:ietf:params:oauth:token-type:jwt\",\n        \"subjectToken\": \"${GCP_ID_TOKEN}\"\n      }\n      EOF\n      )\"\n    - |\n      FEDERATED_TOKEN=$(wget -qO- \\\n        --header=\"Content-Type: application\/json\" \\\n        --post-data=\"$PAYLOAD\" \\\n        \"https:\/\/sts.googleapis.com\/v1\/token\" \\\n        | grep -o '\"access_token\": *\"[^\"]*\"' \\\n        | sed 's\/\"access_token\": *\"\\([^\"]*\\)\"\/\\1\/')\n    - |\n      ACCESS_TOKEN=$(wget -qO- \\\n        --header=\"Content-Type: application\/json\" \\\n        --header=\"Authorization: Bearer $FEDERATED_TOKEN\" \\\n        --post-data='{\"scope\": [\"https:\/\/www.googleapis.com\/auth\/cloud-platform\"]}' \\\n        \"https:\/\/iamcredentials.googleapis.com\/v1\/projects\/-\/serviceAccounts\/${GCP_SERVICEACCOUNT_EMAIL}:generateAccessToken\" \\\n        | grep -o '\"accessToken\": *\"[^\"]*\"' \\\n        | sed 's\/\"accessToken\": *\"\\([^\"]*\\)\"\/\\1\/')\n    - mkdir -p \/kaniko\/.docker\n    - |\n      echo \"{\\\"auths\\\":{\\\"us-central1-docker.pkg.dev\\\":{\\\"auth\\\":\\\"$(printf \"oauth2accesstoken:%s\" \"$ACCESS_TOKEN\" | base64 | tr -d '\\n')\\\"}}}\" \\\n      > \/kaniko\/.docker\/config.json\n    - |\n      \/kaniko\/executor \\\n      --context \"${CI_PROJECT_DIR}\" \\\n      --dockerfile \"${CI_PROJECT_DIR}\/Dockerfile\" \\\n      --destination \"us-central1-docker.pkg.dev\/${GCP_PROJECT_ID}\/${GCP_PORJECT_NAME}\/example-image\"<\/pre>\n\n\n\n<p>\u3053\u3053\u3067\u306fDocker\u306e\u30d3\u30eb\u30c9\u306b <a href=\"https:\/\/github.com\/GoogleContainerTools\/kaniko\" target=\"_blank\" rel=\"noreferrer noopener\">kaniko<\/a> \u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002<a href=\"https:\/\/docs.gitlab.com\/ci\/docker\/using_docker_build\/\" target=\"_blank\" rel=\"noreferrer noopener\">Docker<\/a>\u3067\u30d3\u30eb\u30c9\u3059\u308b\u3088\u308a\u683c\u6bb5\u306b\u7c21\u5358\u306a\u306e\u3067\u3059\u304c\u3001\u5f31\u70b9\u304c\u3042\u308a\u307e\u3059\u3002\u305d\u308c\u306f kaniko \u30a4\u30e1\u30fc\u30b8\u5185\u306b\u306f <a href=\"https:\/\/curl.se\/\" target=\"_blank\" rel=\"noreferrer noopener\">curl<\/a> \u3082 <a href=\"https:\/\/jqlang.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">jq<\/a> \u3082\u5165\u3063\u3066\u304a\u3089\u305a\u3001\u304b\u3068\u3044\u3063\u3066\u30d9\u30fc\u30b9\u30a4\u30e1\u30fc\u30b8\u304c <a href=\"https:\/\/hub.docker.com\/_\/scratch\" target=\"_blank\" rel=\"noreferrer noopener\">scratch<\/a> \u306e\u305f\u3081\u3001\u30d1\u30c3\u30b1\u30fc\u30b8\u3067\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3082\u3067\u304d\u306a\u3044\u3053\u3068\u3067\u3059\u3002\u3088\u3063\u3066 <a href=\"https:\/\/docs.gitlab.com\/ci\/cloud_services\/google_cloud\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenID Connect with GCP Workload Identity Federation<\/a> \u3084 <a href=\"https:\/\/gitlab.com\/guided-explorations\/gcp\/configure-openid-connect-in-gcp\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenID Connect In Google Cloud<\/a> \u306e\u65b9\u6cd5\u304c\u305d\u306e\u307e\u307e\u4f7f\u3048\u307e\u305b\u3093\u3002<\/p>\n\n\n\n<p>\u305d\u3053\u3067\u3053\u3053\u3067\u306f curl \u3068 jq \u306e\u4ee3\u308f\u308a\u306b\u3001<a href=\"https:\/\/www.busybox.net\/\" target=\"_blank\" rel=\"noreferrer noopener\">BusyBox<\/a> \u306e wget, grep, sed \u3092\u4f7f\u3063\u3066\u3084\u308a\u304f\u308a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">FEDERATED_TOKEN<\/h4>\n\n\n\n<p>curl \u3068 jq \u306e\u3053\u308c\u306f\u3001<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">    - |\n      FEDERATED_TOKEN=$(curl -X POST \n        --header \"Content-Type: application\/json\" \\\n        --data \"$PAYLOAD\" \\\n        \"https:\/\/sts.googleapis.com\/v1\/token\" \\\n        | jq -r '.access_token' )<\/pre>\n\n\n\n<p>wget, grep, sed \u3067\u306f\u6b21\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">    - |\n      FEDERATED_TOKEN=$(wget -qO- \\\n        --header=\"Content-Type: application\/json\" \\\n        --post-data=\"$PAYLOAD\" \\\n        \"https:\/\/sts.googleapis.com\/v1\/token\" \\\n        | grep -o '\"access_token\": *\"[^\"]*\"' \\\n        | sed 's\/\"access_token\": *\"\\([^\"]*\\)\"\/\\1\/')<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">ACCESS_TOKEN<\/h4>\n\n\n\n<p>curl \u3068 jq \u306e\u3053\u308c\u306f\u3001<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">    - |\n      ACCESS_TOKEN=$(curl -X POST \\\n        --header \"Content-Type: application\/json\" \\\n        --header \"Authorization: Bearer $FEDERATED_TOKEN\" \\\n        --data '{\"scope\": [\"https:\/\/www.googleapis.com\/auth\/cloud-platform\"]}' \\\n        \"https:\/\/iamcredentials.googleapis.com\/v1\/projects\/-\/serviceAccounts\/${GCP_SERVICEACCOUNT_EMAIL}:generateAccessToken\" \\\n        | jq -r '.accessToken' )<\/pre>\n\n\n\n<p>wget, grep, sed \u3067\u306f\u6b21\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">    - |\n      ACCESS_TOKEN=$(wget -qO- \\\n        --header=\"Content-Type: application\/json\" \\\n        --header=\"Authorization: Bearer $FEDERATED_TOKEN\" \\\n        --post-data='{\"scope\": [\"https:\/\/www.googleapis.com\/auth\/cloud-platform\"]}' \\\n        \"https:\/\/iamcredentials.googleapis.com\/v1\/projects\/-\/serviceAccounts\/${GCP_SERVICEACCOUNT_EMAIL}:generateAccessToken\" \\\n        | grep -o '\"accessToken\": *\"[^\"]*\"' \\\n        | sed 's\/\"accessToken\": *\"\\([^\"]*\\)\"\/\\1\/')<\/pre>\n\n\n\n<p>curl \u306f wget \u3067\u7f6e\u304d\u63db\u3048\u3089\u308c\u307e\u3059\u304c\u3001grep \u3068 sed \u306f jq \u306e\u3088\u3046\u306b\u4f4d\u7f6e\u3092\u7279\u5b9a\u3057\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u306e\u3067\u3001\u53b3\u5bc6\u306b\u6a5f\u80fd\u3092\u7f6e\u304d\u63db\u3048\u3089\u308c\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u3082\u3057\u304b\u3059\u308b\u3068\u306a\u306b\u304b\u30ba\u30ec\u3066\u52d5\u304b\u306a\u304f\u306a\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3053\u3068\u306b\u6ce8\u610f\u304c\u5fc5\u8981\u3067\u3059\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u30d3\u30eb\u30c9\u5b9f\u884c<\/h2>\n\n\n\n<p>\u3053\u308c\u3067\u6b21\u306e\u3088\u3046\u306b\u30d3\u30eb\u30c9\u3067\u304d\u307e\u3057\u305f\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"346\" src=\"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry-1024x346.png\" alt=\"\" class=\"wp-image-76921\" srcset=\"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry-1024x346.png 1024w, https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry-360x122.png 360w, https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry-768x260.png 768w, https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png 1203w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>GitLab\u306e\u30ec\u30dd\u30b8\u30c8\u30ea\u3084CI\/CD\u74b0\u5883\u5909\u6570\u306b\u306f\u3001Google Cloud\u306e\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8\u306e\u6a5f\u5bc6\u60c5\u5831\u306f\u4fdd\u5b58\u3057\u3066\u3044\u307e\u305b\u3093\u3002\u305f\u3060\u3001BusyBox \u306e wget \u306fTLS\u8a3c\u660e\u66f8\u3092\u691c\u8a3c\u3057\u3066\u3044\u306a\u3044\u3088\u3046\u306a\u306e\u3067\u3001\u3053\u308c\u306f\u3061\u3087\u3063\u3068\u5fae\u5999\u306a\u6c17\u3082\u3057\u307e\u3059\u2026\uff08<a href=\"https:\/\/github.com\/docker-library\/busybox\/issues\/80\" target=\"_blank\" rel=\"noreferrer noopener\">Enable https verification for wget or disable https<\/a>\uff09\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u307e\u3068\u3081<\/h2>\n\n\n\n<p>GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3001\u30d3\u30eb\u30c9\u3057\u305fDocker\u30a4\u30e1\u30fc\u30b8\u3092\u30d7\u30c3\u30b7\u30e5\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3066\u307f\u307e\u3057\u305f\u3002GitLab\u306e\u30ec\u30dd\u30b8\u30c8\u30ea\u3084CI\/CD\u74b0\u5883\u5909\u6570\u306bGoogle Cloud\u306e\u6a5f\u5bc6\u60c5\u5831\u3092\u4fdd\u5b58\u3057\u3066\u3044\u306a\u3044\u306e\u3067\u5b89\u5168\u3067\u3059\u3002\u305f\u3060\u3001\u30c8\u30fc\u30af\u30f3\u53d6\u5f97\u6642\u306e wget \u3067\u8a3c\u660e\u66f8\u3092\u691c\u8a3c\u3057\u3066\u3044\u306a\u3044\u3053\u3068\u3084\u3001\u305d\u306e\u30a4\u30e1\u30fc\u30b8\u81ea\u4f53\u304c\u5b89\u5168\u306a\u306e\u304b\u306a\u3069\u3001\u4ed6\u306b\u3082\u6c17\u3092\u3064\u3051\u308b\u70b9\u306f\u3055\u307e\u3056\u307e\u3042\u308b\u305f\u3081\u3001\u3053\u308c\u3067\u7d76\u5bfe\u3068\u8a00\u3044\u5207\u308c\u308b\u3082\u306e\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u5f15\u304d\u7d9a\u304d\u3001GitLab \u3068 Google Cloud \u306e\u5b89\u5168\u304b\u3064\u7c21\u5358\u306a\u904b\u7528\u3092\u898b\u3066\u3044\u304d\u305f\u3044\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact Registry\u306b\u30d7\u30c3\u30b7\u30e5\u3059\u308b\u72b6\u6cc1\u3092\u8003\u3048\u3066\u307f\u307e\u3057\u3087\u3046\u3002\u3053\u3053\u3067\u554f\u984c\u306b\u306a\u3063\u3066\u304f\u308b\u306e\u306f\u300cGitLab CI\u304b\u3089Artifact Re [&#8230;]<\/p>\n","protected":false},"author":2,"featured_media":76921,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[31,208,109,42,814],"tags":[],"class_list":["post-76919","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-higuchi","category-gcp","category-gitlab","category-hashicorp","category-cloudnative"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu - Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3<\/title>\n<meta name=\"description\" content=\"d-higuchi, GCP, GitLab, HashiCorp, \u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6 |\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu - Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3\" \/>\n<meta property=\"og:description\" content=\"d-higuchi, GCP, GitLab, HashiCorp, \u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6 |\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919\" \/>\n<meta property=\"og:site_name\" content=\"Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/creationline\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-17T23:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1203\" \/>\n\t<meta property=\"og:image:height\" content=\"407\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Daisuke Higuchi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@creationline\" \/>\n<meta name=\"twitter:site\" content=\"@creationline\" \/>\n<meta name=\"twitter:label1\" content=\"\u57f7\u7b46\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daisuke Higuchi\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u63a8\u5b9a\u8aad\u307f\u53d6\u308a\u6642\u9593\" \/>\n\t<meta name=\"twitter:data2\" content=\"5\u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919\"},\"author\":{\"name\":\"Daisuke Higuchi\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/#\\\/schema\\\/person\\\/16f1373831fb6fd17387f16ae1195206\"},\"headline\":\"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu\",\"datePublished\":\"2025-03-17T23:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919\"},\"wordCount\":330,\"image\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/gitlab-ci-artifact-registry.png\",\"articleSection\":[\"d-higuchi\",\"GCP\",\"GitLab\",\"HashiCorp\",\"\u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6\"],\"inLanguage\":\"ja\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919\",\"url\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919\",\"name\":\"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu - Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/gitlab-ci-artifact-registry.png\",\"datePublished\":\"2025-03-17T23:00:00+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/#\\\/schema\\\/person\\\/16f1373831fb6fd17387f16ae1195206\"},\"description\":\"d-higuchi, GCP, GitLab, HashiCorp, \u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6 |\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#breadcrumb\"},\"inLanguage\":\"ja\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ja\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#primaryimage\",\"url\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/gitlab-ci-artifact-registry.png\",\"contentUrl\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/gitlab-ci-artifact-registry.png\",\"width\":1203,\"height\":407},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\\\/76919#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"HOME\",\"item\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u8457\u8005\uff08Author\uff09\",\"item\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"d-higuchi\",\"item\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/#website\",\"url\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/\",\"name\":\"Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3\",\"description\":\"\u30a2\u30b8\u30e3\u30a4\u30eb\uff06DevOps\u3001\u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6\u3001AI\uff06LLM\u306e\u5148\u7aef\u6280\u8853\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ja\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/#\\\/schema\\\/person\\\/16f1373831fb6fd17387f16ae1195206\",\"name\":\"Daisuke Higuchi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ja\",\"@id\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/d-higuchi-wp-icon-230x230.png\",\"url\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/d-higuchi-wp-icon-230x230.png\",\"contentUrl\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/cms_x3GWkuX\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/d-higuchi-wp-icon-230x230.png\",\"caption\":\"Daisuke Higuchi\"},\"description\":\"Chef\u30fbDocker\u30fbMirantis\u88fd\u54c1\u306a\u3069\u306e\u6280\u8853\u8981\u7d20\u306b\u52a0\u3048\u3066\u3001\u4f1a\u8b70\u306e\u9032\u3081\u65b9\u30fb\u6587\u7ae0\u306e\u66f8\u304d\u65b9\u306a\u3069\u306e\u696d\u52d9\u6539\u5584\u306b\u3082\u53d6\u308a\u7d44\u3093\u3067\u3044\u307e\u3059\u3002\u300cChef\u6d3b\u7528\u30ac\u30a4\u30c9\u300d\u5171\u8457\u306e\u307b\u304b\u3001Debian Official Developer\u3082\u3084\u3063\u3066\u3044\u307e\u3059\u3002\",\"url\":\"https:\\\/\\\/www.creationline.com\\\/tech-blog\\\/author\\\/higuchi\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu - Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3","description":"d-higuchi, GCP, GitLab, HashiCorp, \u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6 |\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919","og_locale":"ja_JP","og_type":"article","og_title":"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu - Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3","og_description":"d-higuchi, GCP, GitLab, HashiCorp, \u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6 |\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact","og_url":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919","og_site_name":"Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3","article_publisher":"https:\/\/www.facebook.com\/creationline","article_published_time":"2025-03-17T23:00:00+00:00","og_image":[{"width":1203,"height":407,"url":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png","type":"image\/png"}],"author":"Daisuke Higuchi","twitter_card":"summary_large_image","twitter_creator":"@creationline","twitter_site":"@creationline","twitter_misc":{"\u57f7\u7b46\u8005":"Daisuke Higuchi","\u63a8\u5b9a\u8aad\u307f\u53d6\u308a\u6642\u9593":"5\u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#article","isPartOf":{"@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919"},"author":{"name":"Daisuke Higuchi","@id":"https:\/\/www.creationline.com\/tech-blog\/#\/schema\/person\/16f1373831fb6fd17387f16ae1195206"},"headline":"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu","datePublished":"2025-03-17T23:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919"},"wordCount":330,"image":{"@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#primaryimage"},"thumbnailUrl":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png","articleSection":["d-higuchi","GCP","GitLab","HashiCorp","\u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6"],"inLanguage":"ja"},{"@type":"WebPage","@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919","url":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919","name":"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu - Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3","isPartOf":{"@id":"https:\/\/www.creationline.com\/tech-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#primaryimage"},"image":{"@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#primaryimage"},"thumbnailUrl":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png","datePublished":"2025-03-17T23:00:00+00:00","author":{"@id":"https:\/\/www.creationline.com\/tech-blog\/#\/schema\/person\/16f1373831fb6fd17387f16ae1195206"},"description":"d-higuchi, GCP, GitLab, HashiCorp, \u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6 |\u306f\u3058\u3081\u306b Docker\u30a4\u30e1\u30fc\u30b8\u3092GitLab\u306eCI\u3067\u30d3\u30eb\u30c9\u3057\u3001Google Artifact","breadcrumb":{"@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#primaryimage","url":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png","contentUrl":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2025\/03\/gitlab-ci-artifact-registry.png","width":1203,"height":407},{"@type":"BreadcrumbList","@id":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi\/76919#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"HOME","item":"https:\/\/www.creationline.com\/tech-blog"},{"@type":"ListItem","position":2,"name":"\u8457\u8005\uff08Author\uff09","item":"https:\/\/www.creationline.com\/tech-blog\/author"},{"@type":"ListItem","position":3,"name":"d-higuchi","item":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi"},{"@type":"ListItem","position":4,"name":"GitLab CI\u3068Google Artifact Registry\u3092Workload Identity\u9023\u643a\u3057\u3088\u3046 #gitlab #googlecloud #oidc #docker #kaniko #terraform #opentofu"}]},{"@type":"WebSite","@id":"https:\/\/www.creationline.com\/tech-blog\/#website","url":"https:\/\/www.creationline.com\/tech-blog\/","name":"Tech Blog\uff5c\u30af\u30ea\u30a8\u30fc\u30b7\u30e7\u30f3\u30e9\u30a4\u30f3","description":"\u30a2\u30b8\u30e3\u30a4\u30eb\uff06DevOps\u3001\u30af\u30e9\u30a6\u30c9\u30cd\u30a4\u30c6\u30a3\u30d6\u3001AI\uff06LLM\u306e\u5148\u7aef\u6280\u8853","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.creationline.com\/tech-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/www.creationline.com\/tech-blog\/#\/schema\/person\/16f1373831fb6fd17387f16ae1195206","name":"Daisuke Higuchi","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2023\/08\/d-higuchi-wp-icon-230x230.png","url":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2023\/08\/d-higuchi-wp-icon-230x230.png","contentUrl":"https:\/\/www.creationline.com\/tech-blog\/cms_x3GWkuX\/wp-content\/uploads\/2023\/08\/d-higuchi-wp-icon-230x230.png","caption":"Daisuke Higuchi"},"description":"Chef\u30fbDocker\u30fbMirantis\u88fd\u54c1\u306a\u3069\u306e\u6280\u8853\u8981\u7d20\u306b\u52a0\u3048\u3066\u3001\u4f1a\u8b70\u306e\u9032\u3081\u65b9\u30fb\u6587\u7ae0\u306e\u66f8\u304d\u65b9\u306a\u3069\u306e\u696d\u52d9\u6539\u5584\u306b\u3082\u53d6\u308a\u7d44\u3093\u3067\u3044\u307e\u3059\u3002\u300cChef\u6d3b\u7528\u30ac\u30a4\u30c9\u300d\u5171\u8457\u306e\u307b\u304b\u3001Debian Official Developer\u3082\u3084\u3063\u3066\u3044\u307e\u3059\u3002","url":"https:\/\/www.creationline.com\/tech-blog\/author\/higuchi"}]}},"_links":{"self":[{"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/posts\/76919","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=76919"}],"version-history":[{"count":4,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/posts\/76919\/revisions"}],"predecessor-version":[{"id":76924,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/posts\/76919\/revisions\/76924"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/media\/76921"}],"wp:attachment":[{"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=76919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=76919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.creationline.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=76919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}