ImagePullSecrets are authorization tokens, or secrets, that store Docker credentials used to access a private registry. The following describe how to create and implement imagePullSecrets for pulling private container images with service account auth (service account must have required permissions to pull images from registry). Although the below example uses Google Artifact Registry, this can be applied to any private container registry.

Service Account

AWS, GCP, Azure, etc… utilize service accounts for controlling user access. Within the service account, there will be an option to create an access key. Create the key.json file and download to a server or local machine. Example file from GCP:
{
  "type": "service_account",
  "project_id": "<your-project-id>",
  "private_key_id": "fhrk45h89egh945h89hehg948",
  "private_key": "-----BEGIN PRIVATE KEY-----\hfdiegic34587697dfmty796^&*^TYIG*&R*&^UTOIY9hreytn9vgmefhiv9eorityrshf8yiftgreh7tiuygvhiuxdkflyg598yyu58rytgf8eryihgknruotrty8erityhgjtoirkjghmrkfdmgkstj3oit4ru89y*^%&^*%OIUTFBDV^&UY$RTYI\n-----END PRIVATE KEY-----\n",
  "client_email": "<your-service-account>@<your-project-id>.iam.gserviceaccount.com",
  "client_id": "348579836789347805460459",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-servie-account.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}

Create Secret

Utilize kubectl to create the secret. This uses the key.json file created in the previous step from the service account. This example creates a secret in the lilt namespace using the service account email:
NOTE: Google Artifact Registry is REPOSITORY specific, not just region. Secrets are also namespace specific, must create a new secret for each additional namespace.
kubectl -n lilt create secret docker-registry <your-secret-name> \
    --docker-server="https:us-docker.pkg.dev/<your-repository>" \
    --docker-username=_json_key \
    --docker-password="$(cat key.json)" \
    --docker-email="<your-service-account>@<your-project-id>.iam.gserviceaccount.com"
Optional: If need to use the same secret in other namespaces, copy with the following command:
kubectl get secret <your-secret-name> --namespace=lilt -oyaml | grep -v '^\s*namespace:\s' | kubectl apply --namespace=<other-name-space> -f -
Verify secrets:
kubectl get secrets -A

Helm Chart, Manifest

Utilize the imagePullSecret in a helm chart values.yaml or manifest file:
global:
  imagePullSecrets:
    - <your-secret-name>