diff --git a/pkg/commands/resolver.go b/pkg/commands/resolver.go
index 6c053e2fbe..a78ab76178 100644
--- a/pkg/commands/resolver.go
+++ b/pkg/commands/resolver.go
@@ -209,7 +209,7 @@ func makePublisher(po *options.PublishOptions) (publish.Interface, error) {
 		if po.Push {
 			dp, err := publish.NewDefault(repoName,
 				publish.WithUserAgent(userAgent),
-				publish.WithAuthFromKeychain(keychain),
+				publish.WithKeyChain(keychain),
 				publish.WithNamer(namer),
 				publish.WithTags(po.Tags),
 				publish.WithTagOnly(po.TagOnly),
diff --git a/pkg/publish/default.go b/pkg/publish/default.go
index b0f58cc994..58f79975d9 100644
--- a/pkg/publish/default.go
+++ b/pkg/publish/default.go
@@ -35,13 +35,16 @@ import (
 	"github.com/google/ko/pkg/build"
 )
 
+const RepoOverrideEnvKey = "AUX_REPOSITORY"
+
 // defalt is intentionally misspelled to avoid keyword collision (and drive Jon nuts).
 type defalt struct {
 	base      string
 	t         http.RoundTripper
 	userAgent string
-	auth      authn.Authenticator
 	namer     Namer
+	auth      authn.Authenticator
+	keychain  authn.Keychain
 	tags      []string
 	tagOnly   bool
 	insecure  bool
@@ -55,6 +58,7 @@ type defaultOpener struct {
 	t         http.RoundTripper
 	userAgent string
 	auth      authn.Authenticator
+	keychain  authn.Keychain
 	namer     Namer
 	tags      []string
 	tagOnly   bool
@@ -67,8 +71,9 @@ type Namer func(string, string) string
 
 // identity is the default namer, so import paths are affixed as-is under the repository
 // name for maximum clarity, e.g.
-//   gcr.io/foo/github.com/bar/baz/cmd/blah
-//   ^--base--^ ^-------import path-------^
+//
+//	gcr.io/foo/github.com/bar/baz/cmd/blah
+//	^--base--^ ^-------import path-------^
 func identity(base, in string) string { return path.Join(base, in) }
 
 // As some registries do not support pushing an image by digest, the default tag for pushing
@@ -90,6 +95,7 @@ func (do *defaultOpener) Open() (Interface, error) {
 		t:         do.t,
 		userAgent: do.userAgent,
 		auth:      do.auth,
+		keychain:  do.keychain,
 		namer:     do.namer,
 		tags:      do.tags,
 		tagOnly:   do.tagOnly,
@@ -105,6 +111,7 @@ func NewDefault(base string, options ...Option) (Interface, error) {
 		t:         http.DefaultTransport,
 		userAgent: "ko",
 		auth:      authn.Anonymous,
+		keychain:  authn.DefaultKeychain,
 		namer:     identity,
 		tags:      defaultTags,
 	}
@@ -203,7 +210,7 @@ func (d *defalt) Publish(ctx context.Context, br build.Result, s string) (name.R
 	// https://github.com/google/go-containerregistry/issues/212
 	s = strings.ToLower(s)
 
-	ro := []remote.Option{remote.WithAuth(d.auth), remote.WithTransport(d.t), remote.WithContext(ctx), remote.WithUserAgent(d.userAgent)}
+	ro := []remote.Option{remote.WithAuthFromKeychain(d.keychain), remote.WithTransport(d.t), remote.WithContext(ctx), remote.WithUserAgent(d.userAgent)}
 	no := []name.Option{}
 	if d.insecure {
 		no = append(no, name.Insecure)
diff --git a/pkg/publish/options.go b/pkg/publish/options.go
index ead9fd4050..ae7ee0821f 100644
--- a/pkg/publish/options.go
+++ b/pkg/publish/options.go
@@ -78,6 +78,15 @@ func WithAuthFromKeychain(keys authn.Keychain) Option {
 	}
 }
 
+// WithKeyChain is a functional option for overriding the default
+// authenticator on a default publisher using an authn.Keychain
+func WithKeyChain(keys authn.Keychain) Option {
+	return func(i *defaultOpener) error {
+		i.keychain = keys
+		return nil
+	}
+}
+
 // WithNamer is a functional option for overriding the image naming behavior
 // in our default publisher.
 func WithNamer(n Namer) Option {