LinuxCommandLibrary

crane-auth

Authenticate Crane with a container registry

TLDR

Execute crane auth subcommand

$ crane auth [subcommand]
copy

Implement credential helper
$ crane auth get [registry_address] [[-h|--help]]
copy

Log in to a registry
$ crane auth login [registry_address] [[-h|--help]] [[-p|--password]] [password] [-password-stdin] [[-u|--username]] [username]
copy

Log out of a registry
$ crane auth logout [registry_address] [[-h|--help]]
copy

Retrieve a token for a remote repository
$ crane auth token [registry_address] [[-H|--header]] [[-h|--help]] [[-m|--mount]] [scope1 scope2 ...] --push
copy

Display help
$ crane auth [[-h|--help]]
copy

SYNOPSIS

crane auth login [REGISTRY] [-u --username USERNAME] [-p --password PASSWORD] [-k --insecure]

PARAMETERS

-h, --help
    Print usage information

-k, --insecure
    Allow HTTP (insecure) registry connections; disables TLS verification

-p, --password string
    Registry password or token; reads from stdin if unset in non-TTY

-u, --username string
    Registry username

--allow-nondistributable-artifacts
    Permit re-export of nondistributable artifacts (default true)

REGISTRY
    Registry hostname or URL (e.g., ghcr.io); optional

DESCRIPTION

The crane-auth functionality, part of the crane CLI tool, enables secure authentication to OCI-compliant container image registries. Crane is a fast, dependency-free static binary designed for interacting with registries without needing Docker daemon. The auth login command stores credentials (username/password or token) in standard locations like ~/.docker/config.json, ensuring compatibility with tools like Docker, Podman, and Nerdctl.

It supports interactive password prompts or stdin input for automation in CI/CD pipelines. Specify a registry hostname optionally; defaults to Docker config context. Flags allow insecure HTTP connections (not recommended) and nondistributable artifact handling.

Once authenticated, use crane for pulling, pushing, copying, or inspecting private images efficiently. Logout removes specific registry creds. Ideal for air-gapped environments or Kubernetes operators due to its minimal footprint and cosign integration for signing.

CAVEATS

Avoid --insecure in production; credentials stored in plaintext in config file unless using credential helpers. Limited to registries supporting basic auth or token.

CONFIGURATION LOCATION

Credentials saved to $HOME/.docker/config.json under auths key; supports credsStore helpers.

LOGOUT

crane auth logout REGISTRY deletes credentials for specified registry.

EXAMPLES

crane auth login ghcr.io (interactive)
echo $TOKEN | crane auth login -u USER -p - localhost:5000

HISTORY

Developed by Google in the go-containerregistry project (circa 2020); maintained by Chainguard since 2022 for OCI image workflows and sigstore integration.

SEE ALSO

docker(1), podman-login(1), skopeo(1), cosign(1)

Copied to clipboard