When a project is configured to use OIDC, it should be possible to use these credentials to pull a privates image(s) from GCR when starting the executor. Users currently have to pass in a long-lived service account key (image attached). OIDC can be setup for GCP (1), but private image pulls are not yet supported. (1) https://circleci.com/docs/openid-connect-tokens/#google-cloud-platform