podman login: Authenticate to a Registry
podman login authenticates to a registry and caches the credentials for later pulls and pushes.
CI jobs log in once with a token from a secret, then pull and push without passing credentials again. Always feed the password on stdin so it never lands in process listings or logs.
What it does
podman login sends credentials to a registry and, on success, writes them to an auth file (by default ${XDG_RUNTIME_DIR}/containers/auth.json). Subsequent podman pull and podman push reuse that cached token.
Common usage
echo "$GHCR_TOKEN" | podman login ghcr.io -u "$GITHUB_ACTOR" --password-stdin
podman login -u user -p "$REG_PASS" registry.example.com
podman login --authfile /tmp/auth.json registry.example.comOptions
| Flag | What it does |
|---|---|
| -u, --username <user> | Registry username |
| -p, --password <pass> | Password (prefer --password-stdin) |
| --password-stdin | Read the password from stdin |
| --authfile <path> | Write credentials to a specific file |
| --tls-verify=false | Skip TLS verification (test registries only) |
| --get-login | Print the current logged-in username |
In CI
Use --password-stdin with a secret piped via echo so the token does not appear in argv or shell history. Point --authfile at a job-scoped file (and REGISTRY_AUTH_FILE) when multiple steps need isolated credentials.
Common errors in CI
"Error: authenticating creds for ...: unable to retrieve auth token: invalid username/password: unauthorized" means wrong credentials or a token lacking write scope. "x509: certificate signed by unknown authority" on a private registry needs the CA trusted or --tls-verify=false for test only. "error getting credentials ... exec: docker-credential-...: executable file not found" means a credential helper is configured but missing; remove the credHelpers entry or install it.