Google Container Registry authentication via oauth2 token

[camelpunch]

It'd be nice to be able to rely on a Concourse worker's IAM roles in GCP to authenticate with Google Container Registry.

Step 5 of https://cloud.google.com/container-registry/docs/advanced-authentication#token shows how to log in to regular docker using a token obtained from Google's metadata servers (i.e. "workload identity" from a VM or K8s container).

The Google container libraries that this project uses should already support this, but I think we'd need to avoid the checks for username/password or require a special-case username to allow the library to retrieve credentials.

A manual way, from a GCP instance / GKE container (without e.g. jq) would be:

curl -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token \
| sed 's/.*access_token":"\(.*\)","expires.*/\1/' \
| docker login -u oauth2accesstoken --password-stdin https://eu.gcr.io/some-repo

Thoughts?