IBM Cloud Container Registry will not accept registry or UAA tokens for authentication after August 12, 2020.
IBM Cloud Container Registry has supported IAM as its main form of authentication for several years now. In parallel, IBM Cloud Container Registry continued to support UAA and registry tokens as deprecated forms of authentication. On August 12, 2020, UAA and registry tokens will no longer be accepted for authenticating to IBM Cloud Container Registry; only IAM will be accepted.
Next steps to use IAM for authentication
If you have any automation that uses registry or UAA tokens to authenticate to IBM Cloud Container Registry, you need to update this to use IAM instead. For example, any scripts that perform an explicit
docker login and pass something other than the IAM usernames mentioned here must be updated to instead pass a form of IAM authentication. API keys are the recommended approach for automation. Note that
ibmcloud cr login performs a
docker login under the covers, but this is already updated to log in with IAM.
Kubernetes clusters can use image pull secrets to pull images from private registries. If any Kubernetes namespaces in your cluster rely on pull secrets that contain a registry or UAA token, these need to be replaced with pull secrets that contain an IAM API key.
IBM Cloud Kubernetes Service clusters created before February 25, 2019 do not have IAM API keys in pull secrets and, therefore, need to be updated. This update is automated by the IBM Cloud Kubernetes Service CLI plugin, and instructions can be found here. Clusters created after February 25, 2019 already contain updated pull secrets. However, if you copied pull secrets containing registry tokens to any Kubernetes namespaces other than
default, you will need to ensure that those pull secrets contain an API key.
After August 12, 2020, IAM will be the only accepted form of authentication for IBM Cloud Container Registry. To prepare for this, please remove all uses of registry and UAA tokens and migrate to IAM. API keys are the recommended approach for automation and pull secrets.
There are lots of benefits to using IAM API keys instead of registry tokens. With IAM API keys, you can add IAM policies for more fine-grained control over access. For instance, you can create IAM access policies to restrict permissions to specific registry namespaces so that a cluster can only pull images from those namespaces.