Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dockerhub API: Access to the resource is forbidden with personal access token #1914

Closed
kiriappeee opened this issue Nov 5, 2019 · 3 comments

Comments

@kiriappeee
Copy link

Problem description

Prefacing this with the fact that I do understand that the Dockerhub API is internal only and that there may be no supported answer for this. Wanted to report in case I could get advice.

Actual description of the problem - I can login but cannot access the v2/repositories/{image}/tags/{tag} endpoint when using personal access tokens.

Context around this

We need a way to check if an image:tag combination exists before building the image in our pipeline. Downloading the image is not an option since:

  1. some of our images are large and downloading this adds overhead to the pipeline we'd like to avoid.
  2. Part of the pipeline runs inside a docker container and doing a docker inside docker installation is something we'd like to avoid.

We could use docker manifest inspect image:tag but apart from the docker in docker issue mentioned above, we also have the challenge of docker manifest still being experimental.

Therefore we reverted to using the Dockerhub internal API. With the introduction of 2fa and personal access tokens however it seems like this is not going to be possible anymore.

Suggested solution

Make the internal API work with personal access tokens till an officially supported API interface is released by the Docker team

Sorry, I know that's a big ask but from various stack overflow issues and other places on the internet, being able to verify that an image:tag combination exists for a private repo on Dockerhub via some kind of API call seems like it would be really useful.

@cowsrule
Copy link

cowsrule commented Nov 5, 2019

Hi @kiriappeee - Currently personal access tokens on Docker Hub only support the Registry APIs, so unfortunately this is expected. We do expect to extend their scope to allow access to the Hub APIs, but I don't have an ETA on when this will be available.

Thanks for enabling 2FA and appreciate the feedback!

@cowsrule cowsrule closed this as completed Nov 6, 2019
@manishtomar
Copy link
Contributor

@kiriappeee You can use distribution API to check if tag has been updated. That is public and documented. Here is sample script to see it working:

repo=$1
url=$2
token=$(curl -u username:password "https://auth.docker.io/token?service=registry-1.docker.io&scope=repository:$repo:pull" | jq -r .token)
curl https://registry-1.docker.io/v2/$repo/$url -H "Authorization: Bearer $token" -L -H "Accept: application/vnd.docker.distribution.manifest.v2+json" "$@"

@kiriappeee
Copy link
Author

@cowsrule Thank you so much for taking the time to reply! Appreciate the response.

@manishtomar That's amazing! I tried it out and feel like such a goof for not using this all this while 🤦🏽‍♂️. I tried it out the day after submitting this issue but got the scope resource grammar all wrong. Many thanks for pointing me in the right direction ♥🙌🏽

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants