Authenticate with the Container Registry
In GitLab 16.0 and later, external authorization prevents personal access tokens and deploy tokens from accessing container and package registries and affects all users who use these tokens to access the registries. You can disable external authorization if you want to use personal access tokens and deploy tokens with the container or package registries.
To authenticate with the Container Registry, you can use a:
All of these authentication methods require the minimum scope:
- For read (pull) access, to be
read_registry
. - For write (push) access, to be
write_registry
andread_registry
.
To authenticate, run the docker login
command. For example:
docker login registry.example.com -u <username> -p <token>
Use GitLab CI/CD to authenticate
To use CI/CD to authenticate with the Container Registry, you can use:
-
The
CI_REGISTRY_USER
CI/CD variable.This variable has read-write access to the Container Registry and is valid for one job only. Its password is also automatically created and assigned to
CI_REGISTRY_PASSWORD
.docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-
A CI job token.
docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
- A deploy token with the minimum scope of:
- For read (pull) access,
read_registry
. - For write (push) access,
write_registry
.
docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
- For read (pull) access,
- A personal access token with the minimum scope of:
- For read (pull) access,
read_registry
. - For write (push) access,
write_registry
.
docker login -u <username> -p <access_token> $CI_REGISTRY
- For read (pull) access,