✦ For everyone, free.

Practical knowledge for real and everyday life

Home

10.1.2.4 Pipeline Registry Credentials

A focused guide to Pipeline Registry Credentials, connecting core concepts with practical Docker and container operations.

Pipeline registry credentials are the authentication details a CI/CD pipeline uses to push and pull container images as part of an automated build and deployment process, requiring careful handling given that a pipeline's credentials are typically stored and used without any human directly present to make case-by-case judgment calls.

Storing Pipeline Credentials as a Secured Secret

A CI/CD platform's own secret management feature, rather than embedding credentials directly in pipeline configuration, is the appropriate way to make registry credentials available to a pipeline.

steps:
  - name: Login to registry
    run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login registry.example.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin

Referencing a credential through the platform's secret mechanism, rather than hardcoding it directly in the pipeline file, keeps it out of version control and out of plainly visible configuration.

Why a Dedicated Service Account Is Preferable to a Personal Account

Using a dedicated service account, scoped specifically to what the pipeline actually needs, rather than an individual team member's personal credentials, avoids tying pipeline functionality to a specific person's account and its associated risks.

docker login registry.example.com -u ci-service-account
Scoping Pipeline Credentials as Narrowly as Possible

A pipeline that only needs to push to one specific repository shouldn't be granted broader registry access than that, limiting the potential impact if this credential were ever somehow exposed.

Token scope: push, repository: myteam/myapi
Rotating Pipeline Credentials Periodically

Periodically rotating a pipeline's registry credentials, even without a specific known compromise, is a reasonable security practice given how broadly automated credentials are typically used across many pipeline runs over time.

docker login registry.example.com -u ci-service-account
Why Pipeline Registry Credentials Matter

Given how routinely and automatically pipeline credentials are used, applying careful handling — secured secret storage, scoped service accounts, narrow permissions, periodic rotation — is an important security practice for any automated build and deployment process interacting with a registry.

Related content