IBM Cloud Docs
Announcing the end of Container Registry support for UAA tokens from 12 August 2020

Announcing the end of Container Registry support for UAA tokens from 12 August 2020

IBM Cloud® Container Registry will not accept UAA tokens for authentication from 12 August 2020.

The original announcement was published on 3 February 2020.

Container Registry supported IAM as its main form of authentication for several years. In parallel, Container Registry continued to support UAA and registry tokens as deprecated forms of authentication. On 12 August 2020, UAA tokens will no longer be accepted for authenticating to Container Registry. Registry tokens continue to work, but the end of support date for registry tokens is not available yet. All customers who are not already doing so must use IAM for authenticating to Container Registry.

Next steps to use IAM for authentication

If you have any automation that uses registry or UAA tokens to authenticate to Container Registry, you need to update your automation to use IAM instead. For example, any scripts that perform an explicit docker login and pass something other than the IAM usernames mentioned here must be updated to instead pass a form of IAM authentication. API keys are the recommended approach for automation. Note ibmcloud cr login performs a docker login in the background, but it is already updated to log in with IAM.

Kubernetes clusters can use image pull secrets to pull images from private registries. If any Kubernetes namespaces in your cluster rely on pull secrets that contain a registry or UAA token, they need to be replaced with pull secrets that contain an IAM API key.

IBM Cloud Kubernetes Service clusters that were created before 25 February 2019, do not have IAM API keys in pull secrets and must be updated. This update is automated by the Container Registry CLI plug-in, and instructions can be found here. Clusters that were created after 25 February 2019, already contain updated pull secrets. However, if you copied pull secrets that contain registry tokens to any Kubernetes namespaces other than default, you must ensure that those pull secrets contain an API key.

Summary

On 12 August 2020, UAA tokens will no longer be accepted to authenticate to Container Registry. Registry tokens continue to work but are deprecated. An end of support date is not available yet. Ensure that you are not using UAA tokens for authentication and consider removing all uses of registry tokens and migrating fully to IAM. API keys are the recommended approach for automation and pull secrets.

Many benefits exist for using IAM API keys instead of registry tokens. With IAM API keys, you can add IAM policies for more fine-grained control over access. For example, you can create IAM access policies to restrict permissions to specific registry namespaces so that a cluster can pull images from those namespaces only.