@creamy-potato-29402 I have another observation / request. As you can see above I’m injecting a short-lived access token into the docker build command (via

password: execSync('gcloud auth print-access-token').toString('utf8'))

). This access token changes on every

pulumi up

invocation and because of this pulumi shows the resource as updated on every invocation. I’m not sure if it’s a good design decision that pulumi considers the password / access_token part of the permanent state / checkpoint of the resource since it’s more or less a secret that it just needed to create the resource but not a crucial part of the resource itself (i.e. unlike a password of a database resource). Also for GCR there is no classic notion of a long lived username / password (see https://cloud.google.com/container-registry/docs/advanced-authentication) . I think the easiest / quick-win for me would be if you allow to disable authentication (i.e. skip

docker login

) since my local docker is already authenticated automatically via gcloud which is registered as docker credential helper (see also https://cloud.google.com/sdk/gcloud/reference/auth/configure-docker).

@glamorous-printer-66548 cool, will take a look today.