Skip to main content

Sign in

Just like with docker login, the policy CLI requires you to sign in to an OCIv2-compliant registry.

echo $PAT | policy login -s <server> -u <username> --password-stdin


-s <server>: container registry address

-u <username>: username / account

-p <password>: password or a PAT

--password-stdin: read the password from stdin

AWS Elastic Container Registry

AWS ECR credentials to authenticate can be obtained using the AWS CLI command aws ecr get-login-password.

aws ecr get-login-password |policy login -s <org>.dkr.ecr.<region> -u AWS --password-stdin

Create a new policy repository:

aws ecr create-repository --repository-name <my-policy-name>

This will return a URI to push policy images to.

GitHub Container Registry

To sign in to the registry, use your GitHub account, and a GitHub personal access token (PAT) as your password which contains the appropriate scopes - for example, repo (required), read:org (for organizations), write:packages, and delete:packages.

echo $PAT | policy login -s -u <username> --password-stdin

You can create a GitHub PAT on this page.

Docker Hub

You can use your password or a PAT to login to Docker Hub:

echo $PAT | policy login -s -u <username> --password-stdin

Google Container Registry

Follow the steps to authenticate to GCP here.

For example, create a JSON key file for a service account using the following command:

gcloud iam service-accounts keys create keyfile.json --iam-account [NAME]@[PROJECT_ID]

Then login using policy the same way you would login to docker:

cat KEY-FILE | policy login -s -u _json_key --password-stdin