> ## Documentation Index
> Fetch the complete documentation index at: https://support.lilt.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create ImagePullSecrets

ImagePullSecrets are authorization tokens, or secrets, that store Docker credentials used to access a private registry. The following describe how to create and implement `imagePullSecrets` for pulling private container images with service account auth (service account must have required permissions to pull images from registry).

Although the below example uses Google Artifact Registry, this can be applied to any private container registry.

### Service Account

AWS, GCP, Azure, etc… utilize service accounts for controlling user access. Within the service account, there will be an option to create an access key. Create the `key.json` file and download to a server or local machine. Example file from GCP:

```bash theme={null}
{
  "type": "service_account",
  "project_id": "<your-project-id>",
  "private_key_id": "fhrk45h89egh945h89hehg948",
  "private_key": "-----BEGIN PRIVATE KEY-----\hfdiegic34587697dfmty796^&*^TYIG*&R*&^UTOIY9hreytn9vgmefhiv9eorityrshf8yiftgreh7tiuygvhiuxdkflyg598yyu58rytgf8eryihgknruotrty8erityhgjtoirkjghmrkfdmgkstj3oit4ru89y*^%&^*%OIUTFBDV^&UY$RTYI\n-----END PRIVATE KEY-----\n",
  "client_email": "<your-service-account>@<your-project-id>.iam.gserviceaccount.com",
  "client_id": "348579836789347805460459",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-servie-account.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}
```

### Create Secret

Utilize `kubectl` to create the secret. This uses the `key.json` file created in the previous step from the service account. This example creates a secret in the lilt namespace using the service account email:

<Note>
  NOTE: Google Artifact Registry is REPOSITORY specific, not just region. Secrets are also namespace specific, must create a new secret for each additional namespace.
</Note>

```bash theme={null}
kubectl -n lilt create secret docker-registry <your-secret-name> \
    --docker-server="https:us-docker.pkg.dev/<your-repository>" \
    --docker-username=_json_key \
    --docker-password="$(cat key.json)" \
    --docker-email="<your-service-account>@<your-project-id>.iam.gserviceaccount.com"
```

Optional: If need to use the same secret in other namespaces, copy with the following command:

```bash theme={null}
kubectl get secret <your-secret-name> --namespace=lilt -oyaml | grep -v '^\s*namespace:\s' | kubectl apply --namespace=<other-name-space> -f -
```

Verify secrets:

```bash theme={null}
kubectl get secrets -A
```

### Helm Chart, Manifest

Utilize the `imagePullSecret` in a helm chart `values.yaml` or manifest file:

```bash theme={null}
global:
  imagePullSecrets:
    - <your-secret-name>
```