Registry auth config location for daemonless builds in CI
Each daemonless builder reads registry credentials from a specific location. Kaniko uses /kaniko/.docker/config.json; Buildah and podman use a containers auth file (often $XDG_RUNTIME_DIR/containers/auth.json or ~/.docker/config.json). Writing auth to the wrong path leaves the tool unauthenticated.
What this error means
A push fails with unauthorized even though you wrote a config file, because the file is not at the path the specific tool reads.
# Kaniko reads /kaniko/.docker/config.json
# Buildah/podman read $REGISTRY_AUTH_FILE or containers/auth.json
Error: unauthorized: authentication requiredCommon causes
Auth written to the wrong file for the tool
A config.json placed where Kaniko expects will not be read by Buildah, and a containers auth.json is not where Kaniko looks.
REGISTRY_AUTH_FILE unset for Buildah/podman
Without REGISTRY_AUTH_FILE, Buildah and podman look in default runtime paths that may not hold your CI-written credentials.
How to fix it
Write auth where each tool reads it
For Kaniko, use /kaniko/.docker/config.json. For Buildah/podman, point REGISTRY_AUTH_FILE at your file.
# Kaniko
mkdir -p /kaniko/.docker && cp config.json /kaniko/.docker/config.json
# Buildah / podman
export REGISTRY_AUTH_FILE=/tmp/auth.json
buildah login --authfile "$REGISTRY_AUTH_FILE" registry.example.comVerify the auths host matches the destination
Whatever file you use, the auths key must match the destination registry hostname exactly.
How to prevent it
- Know which auth file each daemonless tool reads and write there.
- Set REGISTRY_AUTH_FILE explicitly for Buildah/podman in CI.
- Match the auths hostname to the exact destination registry.