docker-login

Interactively log into a registry

$ docker login

$ docker login [[-u|--username]] [username]

$ docker login [[-u|--username]] [username] [[-p|--password]] [password] [server]

$ echo "[password]" | docker login [[-u|--username]] [username] --password-stdin

docker login [OPTIONS] [SERVER]

--username, -u USERNAME
    Username for authentication with the registry.

--password, -p PASSWORD
    Password for the registry. Highly discouraged due to security risks (e.g., exposure in shell history or process lists).

--password-stdin
    Read the password from standard input. Recommended for scripting to avoid exposing passwords on the command line.

--email, -e EMAIL
    DEPRECATED and ignored by modern registries like Docker Hub. Formerly used to provide an email for the registry.

--help
    Display help information for the command.

The docker login command allows users to authenticate their Docker client with a Docker registry, such as Docker Hub or a private registry. This authentication is crucial for performing actions like docker pull (for private images) and docker push (to upload images) on the registry.

When executed, it typically prompts interactively for a username and password. Upon successful authentication, Docker securely stores the credentials in a configuration file (usually ~/.docker/config.json), often utilizing a credential helper. This process ensures that subsequent operations with the registry are seamless, without requiring re-entry of credentials.

It supports various authentication methods, including interactive prompts, passing credentials directly (though discouraged for security), and reading passwords from standard input for scripting purposes. This command is foundational for managing Docker images across different environments and collaborating on containerized applications by sharing images via registries.

Using --password directly on the command line is a significant security risk as the password might be exposed in shell history or process listings. It is strongly recommended to use --password-stdin for automated scripts or to rely on the interactive prompt or credential helpers.

The --email option is deprecated and has no effect on modern Docker registries.

By default, if no SERVER is specified, docker login attempts to authenticate with Docker Hub (docker.io).

Docker automatically utilizes credential helpers (e.g., docker-credential-desktop, docker-credential-ecr-login) if they are configured and available on the system. These helpers are crucial for securely storing and retrieving registry credentials, often integrating with OS-specific keychains or cloud provider authentication mechanisms. This is the recommended way to manage credentials for enhanced security and convenience.

When the SERVER argument is omitted, docker login defaults to authenticating against Docker Hub. This refers to https://index.docker.io/v1/ or https://registry-1.docker.io/v2/.

The command typically runs interactively, prompting for a username and password. For automation and scripting, --password-stdin is preferred to provide credentials non-interactively without exposing them as command-line arguments, which can be insecure.

The docker login command has been a core component of the Docker CLI since its early inception, providing the essential means for users to interact with Docker registries. Over time, its security features have significantly evolved, most notably with the introduction and widespread adoption of credential helpers. These helpers securely store authentication tokens, enhancing the overall security posture for developers and CI/CD pipelines by eliminating the need to store raw passwords. The deprecation of the --email flag also reflects a simplification towards standard username/password-based authentication models.

docker logout(1), docker pull(1), docker push(1), docker info(1)