From bca1c4aefe50254c83c83805071671430eb6d11a Mon Sep 17 00:00:00 2001
From: Casey Davenport <davenport.cas@gmail.com>
Date: Sat, 31 Jan 2026 09:02:36 -0800
Subject: [PATCH] Use gcloud credential helper to login to GCR

---
 .semaphore/vms/configure-test-vm | 9 ++++++---
 .semaphore/vms/run-tests-on-vms  | 2 ++
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.semaphore/vms/configure-test-vm b/.semaphore/vms/configure-test-vm
index 421956eab3d..be631fabf9e 100755
--- a/.semaphore/vms/configure-test-vm
+++ b/.semaphore/vms/configure-test-vm
@@ -79,8 +79,8 @@ set +x
 echo "$DOCKERHUB_PASSWORD" | ssh "ubuntu@${vm_ip}" -- docker login --username "$DOCKERHUB_USERNAME" --password-stdin
 scp -r -C "$HOME/secrets" "ubuntu@${vm_ip}:/home/ubuntu/secrets"
 set -x
-"${ssh_cmd[@]}" "gcloud auth activate-service-account --key-file=/home/ubuntu/secrets/secret.google-service-account-key.json && \
-  gcloud config set project unique-caldron-775 && \
+
+"${ssh_cmd[@]}" "gcloud config set project unique-caldron-775 && \
   gcloud storage cp '${GCS_WORKFLOW_DIR}/${COMPONENT}/fv-artifacts/*' /tmp && \
   tar -xzf /tmp/working-copy.tgz && \
   ${CALICO_DIR_NAME}/${COMPONENT}/.semaphore/load-test-artifacts"
@@ -88,4 +88,7 @@ set -x
 if [ "$ENABLE_JIT_HARDENING" = "true" ]; then
   echo "Enabling BPF JIT hardening on test VM"
   "${ssh_cmd[@]}" sudo sysctl -w net.core.bpf_jit_harden=2
-fi
\ No newline at end of file
+fi
+
+# Login using the VM's service account.
+"${ssh_cmd[@]}" 'gcloud auth configure-docker gcr.io --quiet'
diff --git a/.semaphore/vms/run-tests-on-vms b/.semaphore/vms/run-tests-on-vms
index a298dad8121..77f67f42358 100755
--- a/.semaphore/vms/run-tests-on-vms
+++ b/.semaphore/vms/run-tests-on-vms
@@ -76,6 +76,8 @@ fi
 # Do a bulk create; this is faster and it saves API quota.
 echo "Creating test VMs in bulk..."
 gcloud --quiet compute instances bulk create \
+       --service-account="semaphore-v2-gcr@unique-caldron-775.iam.gserviceaccount.com" \
+       --scopes="https://www.googleapis.com/auth/cloud-platform" \
        --predefined-names="$names" \
        --zone=${zone} \
        --machine-type=${VM_MACHINE_TYPE} \