Skip to content

Registry commands

Store per-registry credentials the daemon uses to pull private images — for run, app create, and an app's re-pull on restart. Credentials live on the daemon (not read from your local ~/.docker/config.json), so a durable app on a private image survives a restart. See Private registries for the full picture and the supported-registry table.

Command Description
registry login <host> [flags] store (or replace) a credential for a registry host
registry ls list stored credentials — host + username only, never the secret
registry logout <host> remove a stored credential

Login flags

-u/--username (may be empty for token-only registries), and one of: --password-stdin (read the secret from stdin — recommended, keeps it out of shell history), -p/--password <secret> (warns; ends up in history), or — with neither — an interactive masked prompt.

# Recommended: pipe the token in
echo "$GH_TOKEN" | crucible registry login ghcr.io -u my-user --password-stdin

# AWS ECR (12h token — re-run periodically)
aws ecr get-login-password --region us-east-1 \
  | crucible registry login <acct>.dkr.ecr.us-east-1.amazonaws.com -u AWS --password-stdin

crucible registry ls          # HOST  USERNAME  ADDED  (no secret)
crucible registry logout ghcr.io
Was this page helpful?