Skip to content
Latchkey

podman login: Authenticate to a Registry

podman login authenticates to a registry and caches the credentials for later pulls and pushes.

CI jobs log in once with a token from a secret, then pull and push without passing credentials again. Always feed the password on stdin so it never lands in process listings or logs.

What it does

podman login sends credentials to a registry and, on success, writes them to an auth file (by default ${XDG_RUNTIME_DIR}/containers/auth.json). Subsequent podman pull and podman push reuse that cached token.

Common usage

Terminal
echo "$GHCR_TOKEN" | podman login ghcr.io -u "$GITHUB_ACTOR" --password-stdin
podman login -u user -p "$REG_PASS" registry.example.com
podman login --authfile /tmp/auth.json registry.example.com

Options

FlagWhat it does
-u, --username <user>Registry username
-p, --password <pass>Password (prefer --password-stdin)
--password-stdinRead the password from stdin
--authfile <path>Write credentials to a specific file
--tls-verify=falseSkip TLS verification (test registries only)
--get-loginPrint the current logged-in username

In CI

Use --password-stdin with a secret piped via echo so the token does not appear in argv or shell history. Point --authfile at a job-scoped file (and REGISTRY_AUTH_FILE) when multiple steps need isolated credentials.

Common errors in CI

"Error: authenticating creds for ...: unable to retrieve auth token: invalid username/password: unauthorized" means wrong credentials or a token lacking write scope. "x509: certificate signed by unknown authority" on a private registry needs the CA trusted or --tls-verify=false for test only. "error getting credentials ... exec: docker-credential-...: executable file not found" means a credential helper is configured but missing; remove the credHelpers entry or install it.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →