diff --git a/go.mod b/go.mod
index 9bd1f62c2..c0d60231f 100644
--- a/go.mod
+++ b/go.mod
@@ -74,6 +74,7 @@ require (
 	golang.org/x/sync v0.7.0
 	golang.org/x/sys v0.22.0
 	golang.org/x/term v0.22.0
+	google.golang.org/grpc v1.62.2
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.30.3
@@ -273,7 +274,6 @@ require (
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240318140521-94a12d6c2237 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
-	google.golang.org/grpc v1.62.2 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/initrd/dockerfile.go b/initrd/dockerfile.go
index 0e7c33b2e..79b54280c 100644
--- a/initrd/dockerfile.go
+++ b/initrd/dockerfile.go
@@ -15,6 +15,9 @@ import (
 	"strings"
 
 	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"kraftkit.sh/config"
 	"kraftkit.sh/cpio"
 	"kraftkit.sh/log"
@@ -23,6 +26,8 @@ import (
 	soci "github.com/anchore/stereoscope/pkg/image/oci"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/auth"
 	"github.com/moby/buildkit/session/filesync"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/testcontainers/testcontainers-go"
@@ -279,6 +284,11 @@ func (initrd *dockerfile) Build(ctx context.Context) (string, error) {
 
 	solveOpt := &client.SolveOpt{
 		Ref: identity.NewID(),
+		Session: []session.Attachable{
+			&buildkitAuthProvider{
+				config.G[config.KraftKit](ctx).Auth,
+			},
+		},
 		Exports: []client.ExportEntry{
 			{
 				Type:   client.ExporterTar,
@@ -522,3 +532,34 @@ func (initrd *dockerfile) Env() []string {
 func (initrd *dockerfile) Args() []string {
 	return initrd.args
 }
+
+type buildkitAuthProvider struct {
+	auths map[string]config.AuthConfig
+}
+
+func (ap *buildkitAuthProvider) Register(server *grpc.Server) {
+	auth.RegisterAuthServer(server, ap)
+}
+
+func (ap *buildkitAuthProvider) Credentials(ctx context.Context, req *auth.CredentialsRequest) (*auth.CredentialsResponse, error) {
+	res := &auth.CredentialsResponse{}
+
+	if a, ok := ap.auths[req.Host]; ok {
+		res.Username = a.User
+		res.Secret = a.Token
+	}
+
+	return res, nil
+}
+
+func (ap *buildkitAuthProvider) FetchToken(ctx context.Context, req *auth.FetchTokenRequest) (*auth.FetchTokenResponse, error) {
+	return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")
+}
+
+func (ap *buildkitAuthProvider) GetTokenAuthority(ctx context.Context, req *auth.GetTokenAuthorityRequest) (*auth.GetTokenAuthorityResponse, error) {
+	return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")
+}
+
+func (ap *buildkitAuthProvider) VerifyTokenAuthority(ctx context.Context, req *auth.VerifyTokenAuthorityRequest) (*auth.VerifyTokenAuthorityResponse, error) {
+	return nil, status.Errorf(codes.Unavailable, "client side tokens disabled")
+}