This document describes how to configure authentication to Docker Hub upstream repositories for Artifact Registry remote repositories.
We recommend authenticating to Docker Hub even if you are only using public images, as authenticating will increase your download rate limit. For more information on Docker Hub download rate limits, see Docker Hub rate limit. Remote repositories allow you to add your Docker Hub username and a personal access token saved as a secret to authenticate to Docker Hub.
This document assumes you have already created an Artifact Registry Docker remote repository, and a Docker Hub account.
For more information on remote repositories, see the Remote repositories overview.
Required roles
To get the permissions that you need to configure authentication to Docker Hub for remote repositories, ask your administrator to grant you the following IAM roles on the project:
-
Artifact Registry Admin (
roles/artifactregistry.admin
) -
Secret Manager Admin (
roles/secretmanager.admin
)
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Create a Docker Hub personal access token
- Sign in to Docker Hub.
- Create a personal access token with read-only permissions.
Copy the access token.
Save the access token in a text file in your local or Cloud Shell.
Save your personal access token in a secret version
- Create a secret in Secret Manager.
- Save your Docker Hub personal access token as a secret version.
Grant the Artifact Registry service account access to your secret
The Artifact Registry service agent acts on behalf of Artifact Registry when interacting with Google Cloud services. To allow the service agent to use secrets stored in Secret Manager, you must grant the service agent permission to view your secret version.
The service agent identifier is:
service-PROJECT-NUMBER@gcp-sa-artifactregistry.iam.gserviceaccount.com
PROJECT-NUMBER is the project number of the Google Cloud project where Artifact Registry is running.
To grant the Artifact Registry service agent the Secret Manager Secret Accessor role:
Console
-
Go to the Secret Manager page in the Google Cloud console.
-
On the Secret Manager page, click the checkbox next to the name of the secret.
-
If it is not already open, click Show Info Panel to open the panel.
-
In the info panel, click Add Principal.
-
In the New principals text area, enter the email address(es) of the members to add.
-
In the Select a role dropdown, choose Secret Manager and then Secret Manager Secret Accessor.
gcloud
$ gcloud secrets add-iam-policy-binding secret-id \
--member="member" \
--role="roles/secretmanager.secretAccessor"
Where member is an IAM member, such as a user, group, or service account.
C#
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Java
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
PHP
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To authenticate to Artifact Registry, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
API
Note: Unlike the other examples, this replaces the entire IAM policy.
$ curl "https://secretmanager.googleapis.com/v1/projects/project-id/secrets/secret-id:setIamPolicy" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--data "{\"policy\": {\"bindings\": [{\"members\": [\"member\"], \"role\": \"roles/secretmanager.secretAccessor\"}]}}"
For more information on granting or revoking access to secrets, see Manage access to secrets.
Add Docker Hub credentials to your remote repository
To update your remote repository with your Docker Hub credentials:
Console
Open the Repositories page in the Google Cloud console.
In the repository list, select the repository and click Edit Repository.
In the Remote repository authentication mode section, update or add your Docker Hub username and the secret version containing your Docker Hub access token.
gcloud CLI
To update your remote repository with your Docker Hub credentials, run the following command:
gcloud artifacts repositories update REPOSITORY \
--project=PROJECT_ID \
--location=LOCATION \
--remote-username=USERNAME \
--remote-password-secret-version=projects/SECRET_PROJECT_ID/secrets/SECRET_ID/versions/SECRET_VERSION
Replace the following:
REPOSITORY
with the name of your Artifact Registry remote repository.PROJECT_ID
with your Google Cloud project ID.LOCATION
with the regional or multi-regional location for the repository. You can omit this flag if you set a default. To view a list of supported locations, run the commandgcloud artifacts locations list
.USERNAME
with your Docker Hub username.SECRET_PROJECT_ID
with the project ID of the Google Cloud project in which you created your secret.SECRET_ID
with the name you gave your secret.SECRET_VERSION
with the secret version you saved your Docker Hub access token in.
Your credentials are used the next time the remote repository sends a request for an artifact from the upstream source.
What's next
- Learn more about Artifact Registry repositories.
- Pull images with Docker.
- Take the Docker Hub remote repository quickstart.