At least with Google's GCR, this is no longer the case. They have a Docker credentials helper [1] which transparently handles authentication for regular interactive use, and service accounts with permanent keys [2] for use with CI servers etc. I find both of these to be fairly straightforward to use.