1containers-auth.json(5)() containers-auth.json(5)()
2
3
4
6 containers-auth.json - syntax for the registry authentication file
7
8
9
11 A credentials file in JSON format used to authenticate against con‐
12 tainer image registries. The primary (read/write) file is stored at
13 ${XDG_RUNTIME_DIR}/containers/auth.json on Linux; on Windows and macOS,
14 at $HOME/.config/containers/auth.json.
15
16
17 When searching for the credential for a registry, the following files
18 will be read in sequence until the valid credential is found: first
19 reading the primary (read/write) file, or the explicit override using
20 an option of the calling application. If credentials are not present,
21 search in ${XDG\_CONFIG\_HOME}/containers/auth.json, $HOME/.docker/con‐
22 fig.json, $HOME/.dockercfg.
23
24
25 Except the primary (read/write) file, other files are read-only, unless
26 the user use an option of the calling application explicitly points at
27 it as an override.
28
29
31 The auth.json file stores encrypted authentication information for the
32 user to container image registries. The file can have zero to many en‐
33 tries and is created by a login command from a container tool such as
34 podman login, buildah login or skopeo login. Each entry includes the
35 name of the registry and then an auth token in the form of a base64 en‐
36 coded string from the concatenation of the username, a colon, and the
37 password.
38
39
40 The following example shows the values found in auth.json after the
41 user logged in to their accounts on quay.io and docker.io:
42
43
44 {
45 "auths": {
46 "docker.io": {
47 "auth": "erfi7sYi89234xJUqaqxgmzcnQ2rRFWM5aJX0EC="
48 },
49 "quay.io": {
50 "auth": "juQAqGmz5eR1ipzx8Evn6KGdw8fEa1w5MWczmgY="
51 }
52 }
53 }
54
55
56
57 An entry can be removed by using a logout command from a container tool
58 such as podman logout or buildah logout.
59
60
61 In addition, credential helpers can be configured for specific reg‐
62 istries and the credentials-helper software can be used to manage the
63 credentials in a more secure way than depending on the base64 encoded
64 authentication provided by login. If the credential helpers are con‐
65 figured for specific registries, the base64 encoded authentication will
66 not be used for operations concerning credentials of the specified reg‐
67 istries.
68
69
70 When the credential helper is in use on a Linux platform, the auth.json
71 file would contain keys that specify the registry domain, and values
72 that specify the suffix of the program to use (i.e. everything after
73 docker-credential-). For example:
74
75
76 {
77 "auths": {
78 "localhost:5001": {}
79 },
80 "credHelpers": {
81 "registry.example.com": "secretservice"
82 }
83 }
84
85
86
87 For more information on credential helpers, please reference the GitHub
88 docker-credential-helpers project ⟨https://github.com/docker/docker-
89 credential-helpers/releases⟩.
90
91
92
94 buildah-login(1), buildah-logout(1), podman-login(1), podman-logout(1), skopeo-login(1), skopeo-logout(1)
95
96
97
98
100 Feb 2020, Originally compiled by Tom Sweeney tsweeney@redhat.com
101 ⟨mailto:tsweeney@redhat.com⟩
102
103
104
105 containers-auth.json(5)()