crane-auth
Authenticate Crane with a container registry
TLDR
Execute crane auth subcommand
Implement credential helper
Log in to a registry
Log out of a registry
Retrieve a token for a remote repository
Display help
SYNOPSIS
crane auth <command> [options]
Available commands:
login [registry]
logout [registry]
refresh
token [registry]
PARAMETERS
login [registry]
Authenticates to the specified container registry. If registry is omitted, it attempts to log in to default registries. Used with --username and --password or --password-stdin.
logout [registry]
Deauthenticates from the specified container registry, removing stored credentials.
refresh
Attempts to refresh existing authentication tokens for configured registries, if supported by the credential helper.
token [registry]
Retrieves and prints an authentication token for the specified registry. Can be used for programmatic access or debugging.
--username, -u <username>
Specifies the username for authentication when using the login command.
--password, -p <password>
Specifies the password for authentication when using the login command.
Note: Using this flag directly in the command line is insecure; prefer --password-stdin.
--password-stdin
Reads the password for authentication from standard input when using the login command. Recommended for automation and scripting to avoid exposing passwords in shell history.
--service <service>
Used with the token command to specify the service scope for the requested token.
DESCRIPTION
The crane auth command, a subcommand of the crane tool from the go-containerregistry project, provides comprehensive functionality for managing authentication credentials with OCI (Open Container Initiative) compliant container image registries. Its primary purpose is to enable secure interaction with private and public registries, allowing users to perform operations like pushing, pulling, and inspecting images.
It supports various authentication flows, including username/password-based login, and integrates with Docker's credential helper mechanisms for persistent and secure storage of tokens and refresh credentials. This command simplifies the complex process of authenticating to different registry types (e.g., Docker Hub, Google Container Registry, Amazon ECR, Azure Container Registry), abstracting away registry-specific nuances and providing a unified interface for credential management. It is an essential component for any workflow involving private container image repositories where authentication is required.
CAVEATS
The crane auth command is a subcommand of the crane binary, not a standalone executable named 'crane-auth'. Invocation should always be prefixed with 'crane'. Its functionality heavily relies on the underlying credential helper configurations, typically found in ~/.docker/config.json, and its behavior can vary depending on the specific registry and its supported authentication mechanisms.
CREDENTIAL HELPER INTEGRATION
crane auth leverages existing Docker credential helper configurations, typically stored in ~/.docker/config.json. This allows it to reuse credentials managed by the Docker CLI or other tools that adhere to the same standard, providing a consistent and secure authentication experience across container tools.
REGISTRY SUPPORT
The command provides broad support for a multitude of OCI-compliant registries, including but not limited to Docker Hub, Google Container Registry (GCR), Amazon Elastic Container Registry (ECR), Azure Container Registry (ACR), Quay.io, and various self-hosted or private registries, ensuring versatility for different deployment environments.
HISTORY
The crane auth command is an integral part of the crane tool, which emerged from Google's go-containerregistry project. This project was initiated to provide a pure Go library for interacting with OCI container registries, aiming to eliminate the need for a Docker daemon. The auth subcommand was developed to facilitate seamless and secure authentication to various registries, reflecting the evolving landscape of container image distribution and the need for flexible credential management solutions within the cloud-native ecosystem.
SEE ALSO
crane(1), docker-login(1), skopeo-login(1), podman-login(1)