Authenticate with the Container Registry (FREE)

WARNING: In GitLab 16.0 and later, external authorization prevents personal access tokens and deploy tokens from accessing container and package registries and affects all users who use these tokens to access the registries. You can disable external authorization if you want to use personal access tokens and deploy tokens with the container or package registries.

To authenticate with the Container Registry, you can use a:

• Personal access token.
• Deploy token.
• Project access token.
• Group access token.

All of these authentication methods require the minimum scope:

• For read (pull) access, to be read_registry.
• For write (push) access, to bewrite_registry and read_registry.

To authenticate, run the docker login command. For example:

docker login registry.example.com -u <username> -p <token>

Use GitLab CI/CD to authenticate

To use CI/CD to authenticate with the Container Registry, you can use:

• The CI_REGISTRY_USER CI/CD variable.

  This variable has read-write access to the Container Registry and is valid for one job only. Its password is also automatically created and assigned to CI_REGISTRY_PASSWORD.

  docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

• A CI job token.

  docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY

• A deploy token with the minimum scope of:

  • For read (pull) access, read_registry.
  • For write (push) access, write_registry.

  docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY

• A personal access token with the minimum scope of:

  • For read (pull) access, read_registry.
  • For write (push) access, write_registry.

  docker login -u <username> -p <access_token> $CI_REGISTRY