Clarify Authenticating to the Container Registry with CI/CD details

a145d669 · Ben Bodenmiller · Suzanne Selhorn · d57379f8 · a145d669 · a145d669
Commit a145d669 authored Aug 10, 2020 by Ben Bodenmiller Committed by Suzanne Selhorn Aug 10, 2020
Showing with 12 additions and 16 deletions

doc/user/packages/container_registry/index.md doc/user/packages/container_registry/index.md +11 -16

doc/user/profile/personal_access_tokens.md doc/user/profile/personal_access_tokens.md +1 -0

No files found.
--- a/doc/user/packages/container_registry/index.md
+++ b/doc/user/packages/container_registry/index.md
@@ -201,10 +201,7 @@ Before diving into the details, some things you should be aware of:
 ### Authenticating to the Container Registry with GitLab CI/CD

 There are three ways to authenticate to the Container Registry via
-[GitLab CI/CD](../../../ci/yaml/README.md) which depend on the visibility of
-your project.
-
-Available for all projects, though more suitable for public ones:
+[GitLab CI/CD](../../../ci/yaml/README.md):

 - **Using the special `CI_REGISTRY_USER` variable**: The user specified by this variable is created for you in order to
  push to the Registry connected to your project. Its password is automatically
@@ -216,14 +213,22 @@ Available for all projects, though more suitable for public ones:
  docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  ```

-For private and internal projects:
+- **Using the GitLab Deploy Token**: You can create and use a
+  [special deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token)
+  with your projects.
+  Once created, you can use the special environment variables, and GitLab CI/CD
+  fills them in for you. You can use the following example as-is:
+
+  ```shell
+  docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
+  ```

 - **Using a personal access token**: You can create and use a
  [personal access token](../../profile/personal_access_tokens.md)
  in case your project is private:

  - For read (pull) access, the scope should be `read_registry`.
-  - For read/write (pull/push) access, use `api`.
+  - For write (push) access, the scope should be `write_registry`.

  Replace the `<username>` and `<access_token>` in the following example:

@@ -231,16 +236,6 @@ For private and internal projects:
  docker login -u <username> -p <access_token> $CI_REGISTRY
  ```

- **Using the GitLab Deploy Token**: You can create and use a
-  [special deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token)
-  with your private projects. It provides read-only (pull) access to the Registry.
-  Once created, you can use the special environment variables, and GitLab CI/CD
-  fills them in for you. You can use the following example as-is:
-
-  ```shell
-  docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
-  ```
-
 ### Container Registry examples with GitLab CI/CD

 If you're using Docker-in-Docker on your Runners, this is how your `.gitlab-ci.yml`

--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -60,6 +60,7 @@ the following table.
 | `api`              | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951)   | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_api`           | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944)  | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_registry`    | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845)   | Allows to read (pull) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. |
+| `write_registry`    | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28958)   | Allows to write (push) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. |
 | `sudo`             | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838)  | Allows performing API actions as any user in the system (if the authenticated user is an administrator). |
 | `read_repository`  | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894)  | Allows read-only access (pull) to the repository through `git clone`. |
 | `write_repository` | [GitLab 11.11](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/26021) | Allows read-write access (pull, push) to the repository through `git clone`. Required for accessing Git repositories over HTTP when 2FA is enabled. |