Commit a145d669 authored by Ben Bodenmiller's avatar Ben Bodenmiller Committed by Suzanne Selhorn

Clarify Authenticating to the Container Registry with CI/CD details

parent d57379f8
...@@ -201,10 +201,7 @@ Before diving into the details, some things you should be aware of: ...@@ -201,10 +201,7 @@ Before diving into the details, some things you should be aware of:
### Authenticating to the Container Registry with GitLab CI/CD ### Authenticating to the Container Registry with GitLab CI/CD
There are three ways to authenticate to the Container Registry via There are three ways to authenticate to the Container Registry via
[GitLab CI/CD](../../../ci/yaml/README.md) which depend on the visibility of [GitLab CI/CD](../../../ci/yaml/README.md):
your project.
Available for all projects, though more suitable for public ones:
- **Using the special `CI_REGISTRY_USER` variable**: The user specified by this variable is created for you in order to - **Using the special `CI_REGISTRY_USER` variable**: The user specified by this variable is created for you in order to
push to the Registry connected to your project. Its password is automatically push to the Registry connected to your project. Its password is automatically
...@@ -216,14 +213,22 @@ Available for all projects, though more suitable for public ones: ...@@ -216,14 +213,22 @@ Available for all projects, though more suitable for public ones:
docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
``` ```
For private and internal projects: - **Using the GitLab Deploy Token**: You can create and use a
[special deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token)
with your projects.
Once created, you can use the special environment variables, and GitLab CI/CD
fills them in for you. You can use the following example as-is:
```shell
docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
```
- **Using a personal access token**: You can create and use a - **Using a personal access token**: You can create and use a
[personal access token](../../profile/personal_access_tokens.md) [personal access token](../../profile/personal_access_tokens.md)
in case your project is private: in case your project is private:
- For read (pull) access, the scope should be `read_registry`. - For read (pull) access, the scope should be `read_registry`.
- For read/write (pull/push) access, use `api`. - For write (push) access, the scope should be `write_registry`.
Replace the `<username>` and `<access_token>` in the following example: Replace the `<username>` and `<access_token>` in the following example:
...@@ -231,16 +236,6 @@ For private and internal projects: ...@@ -231,16 +236,6 @@ For private and internal projects:
docker login -u <username> -p <access_token> $CI_REGISTRY docker login -u <username> -p <access_token> $CI_REGISTRY
``` ```
- **Using the GitLab Deploy Token**: You can create and use a
[special deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token)
with your private projects. It provides read-only (pull) access to the Registry.
Once created, you can use the special environment variables, and GitLab CI/CD
fills them in for you. You can use the following example as-is:
```shell
docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
```
### Container Registry examples with GitLab CI/CD ### Container Registry examples with GitLab CI/CD
If you're using Docker-in-Docker on your Runners, this is how your `.gitlab-ci.yml` If you're using Docker-in-Docker on your Runners, this is how your `.gitlab-ci.yml`
......
...@@ -60,6 +60,7 @@ the following table. ...@@ -60,6 +60,7 @@ the following table.
| `api` | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951) | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. | | `api` | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951) | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_api` | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944) | Grants read access to the API, including all groups and projects, the container registry, and the package registry. | | `read_api` | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944) | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
| `read_registry` | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845) | Allows to read (pull) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. | | `read_registry` | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845) | Allows to read (pull) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. |
| `write_registry` | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28958) | Allows to write (push) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. |
| `sudo` | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838) | Allows performing API actions as any user in the system (if the authenticated user is an administrator). | | `sudo` | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838) | Allows performing API actions as any user in the system (if the authenticated user is an administrator). |
| `read_repository` | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894) | Allows read-only access (pull) to the repository through `git clone`. | | `read_repository` | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894) | Allows read-only access (pull) to the repository through `git clone`. |
| `write_repository` | [GitLab 11.11](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/26021) | Allows read-write access (pull, push) to the repository through `git clone`. Required for accessing Git repositories over HTTP when 2FA is enabled. | | `write_repository` | [GitLab 11.11](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/26021) | Allows read-write access (pull, push) to the repository through `git clone`. Required for accessing Git repositories over HTTP when 2FA is enabled. |
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment