バージョン: v1.3

GitHub Container Registry (GHCR) Authentication

This guide explains how to authenticate with GitHub Container Registry (ghcr.io) using Docker or Podman.

Prerequisites

GitHub account with appropriate repository access
Docker or Podman installed on your system

Creating a Personal Access Token (PAT)

Navigate to GitHub Settings
- Go to https://github.com/settings/tokens
- Or: Click your profile photo → Settings → Developer settings → Personal access tokens → Tokens (classic)
Generate New Token
- Click "Generate new token" → "Generate new token (classic)"
- Provide a descriptive note (e.g., "GHCR Access for Service Operator")
- Set expiration date as needed
Select Required Scopes For GHCR access, select at minimum:
- read:packages - Download container images
Generate and Save Token
- Click "Generate token"
- IMPORTANT: Copy the token immediately - you won't be able to see it again
- Store it securely (password manager recommended)

Authentication

Add to your inventory.yml

For secure token storage in inventory files:

Encrypt the token using Ansible Vault:
```
ansible-vault encrypt_string 'ghp_YourToken' --name 'ghcr_pat' --ask-vault-password
```
You'll be prompted to create a vault password. The command will output encrypted text.

Add to inventory.yml:

all:
  vars:
    iaas_console:
      ghcr_user: "your-github-username"
      ghcr_pat: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        ... encrypted token ...

# Docker
echo "YOUR_GITHUB_TOKEN" | docker login ghcr.io -u YOUR_GITHUB_USERNAME --password-stdin

# Podman
echo "YOUR_GITHUB_TOKEN" | podman login ghcr.io -u YOUR_GITHUB_USERNAME --password-stdin

Verifying Authentication

Test your authentication by pulling a public image:

# Docker
docker pull ghcr.io/midokura/gpu-infra-ansible:v0.1

# Podman
podman pull ghcr.io/midokura/gpu-infra-ansible:v0.1

Token Storage Location

Credentials are stored in:

Docker: ~/.docker/config.json
Podman: ${XDG_RUNTIME_DIR}/containers/auth.json or ~/.config/containers/auth.json

Security Best Practices

Use Fine-Grained Tokens: Consider using fine-grained personal access tokens for better security control
Set Expiration Dates: Don't create tokens that never expire
Rotate Tokens: Regularly rotate your tokens
Limit Scope: Only grant the minimum required permissions
Secure Storage: Never commit tokens to version control
Use Environment Variables: Store tokens in environment variables or secret management systems

Troubleshooting

"unauthorized: authentication required" Error

Verify token has correct scopes (read:packages at minimum)
Check token hasn't expired
Ensure correct username and token are used

"denied: permission denied" Error

Verify you have access to the repository
Check if the package/image exists and is accessible
Confirm token has necessary permissions for the operation

Token Not Working After Creation

Wait a few minutes - token activation can take time
Try logging out and logging back in
Verify you copied the entire token string

Logout

When done or to clear credentials:

# Docker
docker logout ghcr.io

# Podman
podman logout ghcr.io

Prerequisites​

Creating a Personal Access Token (PAT)​

Authentication​

Add to your inventory.yml​

Docker/Podman Direct Login​

Verifying Authentication​

Token Storage Location​

Security Best Practices​

Troubleshooting​

"unauthorized: authentication required" Error​

"denied: permission denied" Error​

Token Not Working After Creation​

Logout​

Additional Resources​