4e55845af8
* Adding some docs clarifying tokens that ECR needs to succeed * slight verbiage change * Update content/codespaces/codespaces-reference/allowing-your-codespace-to-access-a-private-image-registry.md Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
4.2 KiB
title, intro, versions, topics, product, shortTitle
| title | intro | versions | topics | product | shortTitle | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Allowing your codespace to access a private image registry | You can use secrets to allow {% data variables.product.prodname_codespaces %} to access a private image registry |
|
|
{% data reusables.gated-features.codespaces %} | Private image registry |
About private image registries and {% data variables.product.prodname_codespaces %}
A registry is a secure space for storing and managing private container images, such as Azure Container Registry or DockerHub. You can create secrets in GitHub to store the access details for a private registry and use them to give your codespace access to images stored in the registry.
When you launch a codespace, {% data variables.product.prodname_codespaces %} checks for three secrets, which define the server name, username, and personal access token (PAT) for a container registry. If these secrets are found, {% data variables.product.prodname_codespaces %} will make the registry available inside your codespace.
<*>_CONTAINER_REGISTRY_SERVER<*>_CONTAINER_REGISTRY_USER<*>_CONTAINER_REGISTRY_PASSWORD
You can store secrets at the user, repository, or organization-level, allowing you to share them securely between different codespaces. When you create a set of secrets for a private image registry, you need to replace the "<*>" in the name with a consistent identifier. For more information, see "Managing encrypted secrets for your codespaces" and "Managing encrypted secrets for your repository and organization for Codespaces."
If you are setting the secrets at the user or organization level, make sure to assign those secrets to the repository you'll be creating the codespace in by choosing an access policy from the dropdown list.
Example secrets
For a private image registry in Azure, you could create the following secrets:
ACR_CONTAINER_REGISTRY_SERVER = mycompany.azurecr.io
ACR_CONTAINER_REGISTRY_USER = acr-user-here
ACR_CONTAINER_REGISTRY_PASSWORD = <PAT>
For information on common image registries, see "Common image registry servers."
Once you've added the secrets, you may need to stop and then start the codespace you are in for the new environment variables to be passed into the container. For more information, see "Suspending or stopping a codespace."
Common image registry servers
Some of the common image registry servers are listed below:
- DockerHub -
https://index.docker.io/v1/ - GitHub Container Registry -
ghcr.io - Azure Container Registry -
<registry name>.azurecr.io - Amazon Elastic Container Registry -
<aws_account_id>.dkr.ecr.<region>.amazonaws.com - Google Cloud Container Registry -
gcr.io(US),eu.gcr.io(EU),asia.gcr.io(Asia)
Accessing AWS Elastic Container Registry
If you want to access AWS Elastic Container Registry (ECR), you must provide an AWS authorization token in the ECR_CONTAINER_REGISTRY_PASSWORD. This authorization token is not the same as your secret key. You can obtain an AWS authorization token by using AWS's APIs or CLI. These tokens are short lived and will need to be refreshed periodically. For more information, see AWS ECR's "Private registry authentication" documentation.