diff --git a/modules/cloud-config-container/cos-generic-metadata/README.md b/modules/cloud-config-container/cos-generic-metadata/README.md
index 1194728fa..ad5ada413 100644
--- a/modules/cloud-config-container/cos-generic-metadata/README.md
+++ b/modules/cloud-config-container/cos-generic-metadata/README.md
@@ -64,6 +64,7 @@ module "cos-envoy" {
 | name | description | type | required | default |
 |---|---|:---: |:---:|:---:|
 | container_image | Container image. | <code title="">string</code> | ✓ |  |
+| *authenticate_gcr* | Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined. | <code title="">bool</code> |  | <code title="">false</code> |
 | *boot_commands* | List of cloud-init `bootcmd`s | <code title="list&#40;string&#41;">list(string)</code> |  | <code title="">[]</code> |
 | *cloud_config* | Cloud config template path. If provided, takes precedence over all other arguments. | <code title="">string</code> |  | <code title="">null</code> |
 | *config_variables* | Additional variables used to render the template passed via `cloud_config` | <code title="map&#40;any&#41;">map(any)</code> |  | <code title="">{}</code> |
diff --git a/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml b/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml
index 9f8e38fa6..2341415ca 100644
--- a/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml
+++ b/modules/cloud-config-container/cos-generic-metadata/cloud-config.yaml
@@ -44,6 +44,10 @@ write_files:
       After=gcr-online.target docker.socket
       Wants=gcr-online.target docker.socket docker-events-collector.service
       [Service]
+%{ if authenticate_gcr && length(users) > 0 ~}
+      Environment="HOME=/home/${users[0].username}"
+      ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+%{ endif ~}
       ExecStart=/usr/bin/docker run --rm --name=${container_name}  \
 %{ if length(users) > 0 ~}
         --user=${users[0].uid} \
diff --git a/modules/cloud-config-container/cos-generic-metadata/main.tf b/modules/cloud-config-container/cos-generic-metadata/main.tf
index ee4c2ae0c..85043b19c 100644
--- a/modules/cloud-config-container/cos-generic-metadata/main.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/main.tf
@@ -26,6 +26,7 @@ locals {
     gcp_logging       = var.gcp_logging
     run_commands      = var.run_commands
     users             = var.users
+    authenticate_gcr  = var.authenticate_gcr
   }))
   files = {
     for path, attrs in var.files : path => {
diff --git a/modules/cloud-config-container/cos-generic-metadata/variables.tf b/modules/cloud-config-container/cos-generic-metadata/variables.tf
index 1d54de00e..4040fa44c 100644
--- a/modules/cloud-config-container/cos-generic-metadata/variables.tf
+++ b/modules/cloud-config-container/cos-generic-metadata/variables.tf
@@ -108,3 +108,9 @@ variable "users" {
   default = [
   ]
 }
+
+variable "authenticate_gcr" {
+  description = "Setup docker to pull images from private GCR. Requires at least one user since the token is stored in the home of the first user defined."
+  type        = bool
+  default     = false
+}