roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon docker

Hub: allow access tokens for organizations

Open marcelstoer opened this issue 2 years ago โ€ข 5 comments

Tell us about your request Docker Hub organizations should be able to hand out access tokens which grant access to all org repos.

Which service(s) is this request for? Docker Hub

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I am one of the owners of a Docker Hub organization. The org maintains a couple of public repos for open-source projects. We push images into those repos from a GitHub Actions workflow. Hence, we need an access token to authenticate against Docker Hub. However, which token to use?

Are you currently working around the issue? An (arbitrary) owner of the organization created a dedicated access token which we use to push images to an org repo.

Additional context n/a

marcelstoer avatar Mar 03 '23 09:03 marcelstoer

Our org is also in need for tokens in scope of the organization. At the moment we're using personal access tokens as a work around. Nevertheless, this alway leaves the risk that if a member leaves the organization who's PAT was used for eg a pipeline, out of a sudden the pipeline stops working.

I suggest that owners of a Docker Hub organization should be able to manage tokens for the organization.

derKrischan avatar Sep 29 '23 18:09 derKrischan

Hey all, an update here from engineering.

This is something that we know has been asked for for years. We too have this issue internally and I wanted to let you know that we are currently working on some ideas on how to best accomplish this. I can't say much currently, but I can tell you that we are actively working towards some sort of solution here. ๐Ÿ˜„

We will keep you all posted as we progress on this.

technicallyjosh avatar Oct 11 '23 15:10 technicallyjosh

Question: Considering @technicallyjosh response, does this mean that any personal access tokens I have set up for my user in docker hub will be valid for any repositories that exist under an organization that I am a part of?

jHubbsy avatar Dec 12 '23 22:12 jHubbsy

Yes that is how it works currently @jHubbsy. I can confirm however that we plan to allow for fine-grained access for these PATs in the future. More to come on that as we are working out a solid roadmap around authentication/authorization right now.

A little context on that behavior: Your PAT will only have access to the repos you actually have access to. We take into consideration any contributor status or ones you have access to and the level in your organizations. e.g. read only PAT can't read repos you aren't explicitly added to via groups and "read" access in repo management for your org.

technicallyjosh avatar Dec 12 '23 22:12 technicallyjosh

Hello friends, just an update here.

I'm happy to confirm that we have started planning the work on org-scoped tokens ๐Ÿ˜„ We will have more to share soon! ๐ŸŽ‰

No timeline quite yet, but it's coming!

technicallyjosh avatar May 30 '24 06:05 technicallyjosh

Hey all, we've just released the first iteration of this!

https://www.docker.com/blog/introducing-organization-access-tokens/

technicallyjosh avatar Oct 15 '24 17:10 technicallyjosh

thanks for this feature! I tried it out today to work with the REST API but got this:

Cannot log into an organization account

I assume that means that these tokens cannot be used with the API, is that correct? the documentation mentions that "You can use an organization access token when you sign in using Docker CLI" but it doesn't say that it is the only way they work. If this is limited to the CLI, it would be good to clarify on the docs.

thank you!

ivotron avatar Nov 08 '24 21:11 ivotron

I assume that means that these tokens cannot be used with the API, is that correct?

Hey sorry for the delay. Yes, correct, we do not support it (yet) on the API. We will be adding more scopes in the near future that will make that type of log in make sense. We started out with just registry access for now. I can say that we'll add more scopes and abilities after we finish our work here soon on Scout and Build Cloud capabilities with OATs.

technicallyjosh avatar Nov 15 '24 23:11 technicallyjosh

bo dla mnie potrzebny ten tryb

maciejXML avatar Dec 23 '24 19:12 maciejXML

Is this available for Free Team Orgs? I cannot see it.

asfernandes avatar Jan 25 '25 01:01 asfernandes

Is this available for Free Team Orgs?

No, this is not supported on free orgs. Only team and business subscriptions.

technicallyjosh avatar Mar 28 '25 15:03 technicallyjosh

Hi iยดm learning to try docker hub. @

Analistarjx avatar Jun 09 '25 21:06 Analistarjx

Hi, I found the Read public repositories is unchecked by default when creating the OAT token using the API. Is there any possibility to enable it? I can't find it in the documentation for enabling that.

fazsw avatar Jun 25 '25 03:06 fazsw

Hi, I found the Read public repositories is unchecked by default when creating the OAT token using the API. Is there any possibility to enable it? I can't find it in the documentation for enabling that.

Hey thanks for reaching out here. Looks like it was missed in the docs. You should be able to add it by adding */*/public as one of your paths.

technicallyjosh avatar Jun 25 '25 16:06 technicallyjosh