-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerhub API: Access to the resource is forbidden with personal access token #1914
Comments
Hi @kiriappeee - Currently personal access tokens on Docker Hub only support the Registry APIs, so unfortunately this is expected. We do expect to extend their scope to allow access to the Hub APIs, but I don't have an ETA on when this will be available. Thanks for enabling 2FA and appreciate the feedback! |
@kiriappeee You can use distribution API to check if tag has been updated. That is public and documented. Here is sample script to see it working: repo=$1
url=$2
token=$(curl -u username:password "https://auth.docker.io/token?service=registry-1.docker.io&scope=repository:$repo:pull" | jq -r .token)
curl https://registry-1.docker.io/v2/$repo/$url -H "Authorization: Bearer $token" -L -H "Accept: application/vnd.docker.distribution.manifest.v2+json" "$@" |
@cowsrule Thank you so much for taking the time to reply! Appreciate the response. @manishtomar That's amazing! I tried it out and feel like such a goof for not using this all this while 🤦🏽♂️. I tried it out the day after submitting this issue but got the scope resource grammar all wrong. Many thanks for pointing me in the right direction ♥🙌🏽 |
Problem description
Prefacing this with the fact that I do understand that the Dockerhub API is internal only and that there may be no supported answer for this. Wanted to report in case I could get advice.
Actual description of the problem - I can login but cannot access the
v2/repositories/{image}/tags/{tag}
endpoint when using personal access tokens.Context around this
We need a way to check if an image:tag combination exists before building the image in our pipeline. Downloading the image is not an option since:
We could use
docker manifest inspect image:tag
but apart from the docker in docker issue mentioned above, we also have the challenge ofdocker manifest
still being experimental.Therefore we reverted to using the Dockerhub internal API. With the introduction of 2fa and personal access tokens however it seems like this is not going to be possible anymore.
Suggested solution
Make the internal API work with personal access tokens till an officially supported API interface is released by the Docker team
Sorry, I know that's a big ask but from various stack overflow issues and other places on the internet, being able to verify that an image:tag combination exists for a private repo on Dockerhub via some kind of API call seems like it would be really useful.
The text was updated successfully, but these errors were encountered: