Accessing IBM Cloud Container Registry by using trusted profiles
You can use trusted profiles to grant different IBM Cloud® identities access to IBM Cloud® Container Registry resources in your account. Automatically grant federated users access to your account with conditions based on SAML attributes from your corporate directory.
A user doesn't need to be a member of the account to assume a trusted profile. A user can use the profile if the user's identity provider (IdP) matches an IdP used in the conditions of trust.
When you initially create a trusted profile, you can build conditions of trust with the following entity types: federated users and service IDs. After you create the trusted profile, you can add more conditions to combine multiple entity types in the same profile.
For more information about trusted profiles, see Creating trusted profiles.
Accessing namespaces in automation by using a trusted profile
You can use service ID API keys to automate the pushing and pulling of container images to and from namespaces that the trusted profile has access to.
You can use service ID API keys in the following places:
- IBM Cloud Kubernetes Service or Red Hat OpenShift on IBM Cloud clusters.
- Kubernetes and Red Hat® OpenShift® clusters that aren't on IBM Cloud.
- Docker CLI and other clients.
Creating a trusted profile
A trusted profile needs to be created in the same account as the registry resources you want to access. A service ID in a separate account can then be added to that trusted profile to establish trust, see Establishing trust with service IDs by using the CLI. Make a note of the trusted profile ID because it is used as the username for the login.
Creating a service ID API key manually
Create a service ID API key that you can use to log in to the registry.
To create a service ID API key, see Managing service ID API keys and ibmcloud iam service-api-key-create.
Using client software to authenticate in automation
Use an API key to log in to the registry by using common clients.
Clients require an API key, username, and a domain, replace API_KEY with your API key, PROFILE_ID with the trusted profile ID, and REGISTRY_DOMAIN with the domain of the registry where your namespaces
are set up.
| Region | Region that was formerly known as | REGISTRY_DOMAIN |
|---|---|---|
global |
Not applicable | icr.io |
au-syd |
ap-south |
au.icr.io |
br-sao |
Not applicable | br.icr.io |
ca-tor |
Not applicable | ca.icr.io |
eu-de |
eu-central |
de.icr.io |
eu-es |
Not applicable | es.icr.io |
eu-gb |
uk-south |
uk.icr.io |
jp-osa |
Not applicable | jp2.icr.io |
jp-tok |
ap-north |
jp.icr.io |
us-south |
Not applicable | us.icr.io |
For more information about how to use IBM Cloud Container Registry in a Continuous Delivery pipeline, see Using a private image registry.
Examples of how to authenticate automatically with the registry are provided for the following clients:
Using Buildah to authenticate with the registry
You can use Buildah to authenticate with the registry so that you can push and pull images to and from the registry.
Use the API key, profile ID, and domain to log in to the registry by running the following Buildah command, replace PROFILE_ID with the trusted profile ID, API_KEY with the API key, and REGISTRY_DOMAIN with the domain:
buildah login -u PROFILE_ID -p API_KEY REGISTRY_DOMAIN
Using Docker to authenticate with the registry
You can use Docker to authenticate with the registry so that you can push and pull images to and from the registry.
Use the API key and domain to log in to the registry by running the following Docker command, replace PROFILE_ID with the trusted profile ID, API_KEY with
the API key, and REGISTRY_DOMAIN with the domain:
docker login -u PROFILE_ID -p API_KEY REGISTRY_DOMAIN
Using Podman to authenticate with the registry
You can use Podman to authenticate with the registry so that you can push and pull images to and from the registry.
Use the API key and domain to log in to the registry by running the following Podman command, replace PROFILE_ID with the trusted profile ID, API_KEY with
the API key, and REGISTRY_DOMAIN with the domain:
podman login -u PROFILE_ID -p API_KEY REGISTRY_DOMAIN
Using Skopeo to authenticate with the registry
You can use Skopeo to authenticate with the registry so that you can push and pull images to and from the registry.
For example, you can use the following Skopeo command to pull an image from Docker Hub and push it to your namespace. Replace REGISTRY_DOMAIN with the name of your domain,
NAMESPACE with your namespace, PROFILE_ID with the trusted profile ID, API_KEY with your API key:
skopeo --insecure-policy --override-os linux copy docker://busybox:latest docker://REGISTRY_DOMAIN/NAMESPACE/busybox:latest --dest-creds PROFILE_ID:API_KEY