crane-auth

Execute crane auth subcommand

$ crane auth [subcommand]

$ crane auth get [registry_address] [[-h|--help]]

$ crane auth login [registry_address] [[-h|--help]] [[-p|--password]] [password] [-password-stdin] [[-u|--username]] [username]

$ crane auth logout [registry_address] [[-h|--help]]

$ crane auth token [registry_address] [[-H|--header]] [[-h|--help]] [[-m|--mount]] [scope1 scope2 ...] --push

$ crane auth [[-h|--help]]

crane auth <command> [options]
Available commands:
  login [registry]
  logout [registry]
  refresh
  token [registry]

login [registry]
    Authenticates to the specified container registry. If registry is omitted, it attempts to log in to default registries. Used with --username and --password or --password-stdin.

logout [registry]
    Deauthenticates from the specified container registry, removing stored credentials.

refresh
    Attempts to refresh existing authentication tokens for configured registries, if supported by the credential helper.

token [registry]
    Retrieves and prints an authentication token for the specified registry. Can be used for programmatic access or debugging.

--username, -u <username>
    Specifies the username for authentication when using the login command.

--password, -p <password>
    Specifies the password for authentication when using the login command.
Note: Using this flag directly in the command line is insecure; prefer --password-stdin.

--password-stdin
    Reads the password for authentication from standard input when using the login command. Recommended for automation and scripting to avoid exposing passwords in shell history.

--service <service>
    Used with the token command to specify the service scope for the requested token.

The crane auth command, a subcommand of the crane tool from the go-containerregistry project, provides comprehensive functionality for managing authentication credentials with OCI (Open Container Initiative) compliant container image registries. Its primary purpose is to enable secure interaction with private and public registries, allowing users to perform operations like pushing, pulling, and inspecting images.

It supports various authentication flows, including username/password-based login, and integrates with Docker's credential helper mechanisms for persistent and secure storage of tokens and refresh credentials. This command simplifies the complex process of authenticating to different registry types (e.g., Docker Hub, Google Container Registry, Amazon ECR, Azure Container Registry), abstracting away registry-specific nuances and providing a unified interface for credential management. It is an essential component for any workflow involving private container image repositories where authentication is required.

The crane auth command is a subcommand of the crane binary, not a standalone executable named 'crane-auth'. Invocation should always be prefixed with 'crane'. Its functionality heavily relies on the underlying credential helper configurations, typically found in ~/.docker/config.json, and its behavior can vary depending on the specific registry and its supported authentication mechanisms.

crane auth leverages existing Docker credential helper configurations, typically stored in ~/.docker/config.json. This allows it to reuse credentials managed by the Docker CLI or other tools that adhere to the same standard, providing a consistent and secure authentication experience across container tools.

The command provides broad support for a multitude of OCI-compliant registries, including but not limited to Docker Hub, Google Container Registry (GCR), Amazon Elastic Container Registry (ECR), Azure Container Registry (ACR), Quay.io, and various self-hosted or private registries, ensuring versatility for different deployment environments.

The crane auth command is an integral part of the crane tool, which emerged from Google's go-containerregistry project. This project was initiated to provide a pure Go library for interacting with OCI container registries, aiming to eliminate the need for a Docker daemon. The auth subcommand was developed to facilitate seamless and secure authentication to various registries, reflecting the evolving landscape of container image distribution and the need for flexible credential management solutions within the cloud-native ecosystem.

crane(1), docker-login(1), skopeo-login(1), podman-login(1)