$ gcloud iam service-accounts create container-sa 
Created service account [container-sa]. 

//full name is as below 
$ gcloud iam service-accounts list | grep container 
[email protected] 

2. Assign container-sa (use full name) to the roles/storage.admin role:

$ gcloud projects add-iam-policy-binding kubernetes-cookbook 
> --member serviceAccount:[email protected] 
> --role=roles/storage.admin 

$ gcloud iam service-accounts keys create container-sa.json 
> --iam-account [email protected] 

created key [f60a81235a1ed9fbce881639f621470cb087149c] of type [json] as [container-sa.json] for [[email protected]] 

4. Use docker login to check whether the key file is working or not:

//note that username must be _json_key 
$ cat container-sa.json | docker login --username _json_key --password-stdin gcr.io 
Login Succeeded

5. Use docker pull to check whether you can pull from container registry or not:

$ docker pull gcr.io/kubernetes-cookbook/my-nginx 
Using default tag: latest 
latest: Pulling from kubernetes-cookbook/my-nginx 
e7bb522d92ff: Pulling fs layer  
6edc05228666: Pulling fs layer  
... 

Looks all fine! Now you can use the Kubernetes secret the exact same way with the private registry or AWS ECR. 

6. Create a Kubernetes secret (my-gcr-secret) to specify _json_key and container-sa.json:

$ kubectl create secret docker-registry my-gcr-secret 
> --docker-server=gcr.io 
> --docker-username=_json_key 
> --docker-password=`cat container-sa.json` 
> [email protected]
secret "my-gcr-secret" created

$ cat private-nginx-gcr.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: private-nginx-gcr
spec:
  containers:
  - name: private-nginx-gcr
    image: gcr.io/kubernetes-cookbook/my-nginx
  imagePullSecrets:
  - name: my-gcr-secret


$ kubectl create -f private-nginx-gcr.yaml 
pod "private-nginx-gcr" created


$ kubectl get pods
NAME                READY     STATUS    RESTARTS   AGE
private-nginx-gcr   1/1       Running   0          47s