Docker Registry Authentication
Authenticate with Docker Hub, GitHub Container Registry (GHCR), AWS ECR, and Google Artifact Registry. Learn secure credential management for CI/CD pipelines.
Registry
Detailed Explanation
Logging In to Registries
Docker Hub
# Interactive login
docker login
# Use access token (recommended over password)
echo $DOCKER_HUB_TOKEN | docker login -u myuser --password-stdin
GitHub Container Registry (GHCR)
echo $GITHUB_PAT | docker login ghcr.io -u USERNAME --password-stdin
AWS ECR
# Get login token (expires in 12 hours)
aws ecr get-login-password --region us-east-1 | \
docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
Google Artifact Registry
gcloud auth configure-docker us-docker.pkg.dev
# Or with a service account key:
cat key.json | docker login -u _json_key --password-stdin https://us-docker.pkg.dev
Azure Container Registry
az acr login --name myregistry
# Or with service principal:
docker login myregistry.azurecr.io -u $SP_APP_ID --password-stdin <<< $SP_PASSWORD
Security Best Practices
- Never use
-pflag for passwords in scripts; always use--password-stdin - Use access tokens instead of account passwords
- Rotate credentials regularly
- In CI/CD, use short-lived tokens (AWS ECR tokens expire in 12 hours)
- Docker credential helpers store credentials securely:
// ~/.docker/config.json
{
"credHelpers": {
"gcr.io": "gcloud",
"123456789.dkr.ecr.us-east-1.amazonaws.com": "ecr-login"
}
}
Logging Out
docker logout
docker logout ghcr.io
Use Case
Setting up CI/CD pipelines to push images to private registries, configuring multi-registry authentication for development teams, and managing credentials securely across different cloud providers.