Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Authentication in Cloud Registry

Written by
Updated at January 22, 2025

Before you start using Cloud Registry, you need to configure Docker and get authenticated to use the appropriate interface:

  • In the management console, the minimum required role for a folder is viewer.
  • In the Docker CLI or Yandex Managed Service for Kubernetes, the minimum required role for a registry is cloud-registry.artifacts.puller.

Assign the required role to the Yandex Cloud user. Read about authentication methods and choose the appropriate one.

For more information about roles, see Access management in Yandex Cloud Registry.

Authentication methods

You can authenticate:

  • As a user:
    • Using an OAuth token (with a 12-month lifetime).
    • Using an IAM token (with a 12 hours lifetime or less).

Authenticating as a user

Note

An OAuth token lives 12 months. After that, you need to get a new one and get authenticated again.

  1. If you do not have Docker yet, install it.

  2. If you do not have an OAuth token yet, get one by following this link.

  3. Run the following command:

    echo <OAuth_token>|docker login \
  --username oauth \
  --password-stdin \
 registry.yandexcloud.net

    Where:

    • <OAuth_token>: Body of the previously obtained OAuth token.
    • --username: Token type. oauth means that an OAuth token is used for authentication.
    • registry.yandexcloud.net: The endpoint that Docker will access when working with the image registry. If it not specified, the request will be sent to Docker Hub as the default service.

Note

The IAM token has a short lifetime: no more than 12 hours. This makes it a good method for applications that automatically request an IAM token.

  1. If you do not have Docker yet, install it.

  2. Get an IAM token.

  3. Run the following command:

    echo <IAM_token>|docker login \
  --username iam \
  --password-stdin \
  registry.yandexcloud.net

    Where:

    • <OAuth>: Body of the previously obtained IAM token.
    • --username: Token type. iam means that an IAM token is used for authentication.
    • registry.yandexcloud.net: The endpoint that Docker will access when working with the image registry. If it not specified, the request will be sent to Docker Hub as the default service.

When running the command, you may get this error message: docker login is not supported with yc credential helper. In such a case, disable the Docker credential helper.

Previous
Installing and configuring Docker
Next
Creating a Docker image