Skip to content
Latchkey

Registry auth config location for daemonless builds in CI

Each daemonless builder reads registry credentials from a specific location. Kaniko uses /kaniko/.docker/config.json; Buildah and podman use a containers auth file (often $XDG_RUNTIME_DIR/containers/auth.json or ~/.docker/config.json). Writing auth to the wrong path leaves the tool unauthenticated.

What this error means

A push fails with unauthorized even though you wrote a config file, because the file is not at the path the specific tool reads.

ci
# Kaniko reads /kaniko/.docker/config.json
# Buildah/podman read $REGISTRY_AUTH_FILE or containers/auth.json
Error: unauthorized: authentication required

Common causes

Auth written to the wrong file for the tool

A config.json placed where Kaniko expects will not be read by Buildah, and a containers auth.json is not where Kaniko looks.

REGISTRY_AUTH_FILE unset for Buildah/podman

Without REGISTRY_AUTH_FILE, Buildah and podman look in default runtime paths that may not hold your CI-written credentials.

How to fix it

Write auth where each tool reads it

For Kaniko, use /kaniko/.docker/config.json. For Buildah/podman, point REGISTRY_AUTH_FILE at your file.

Terminal
# Kaniko
mkdir -p /kaniko/.docker && cp config.json /kaniko/.docker/config.json
# Buildah / podman
export REGISTRY_AUTH_FILE=/tmp/auth.json
buildah login --authfile "$REGISTRY_AUTH_FILE" registry.example.com

Verify the auths host matches the destination

Whatever file you use, the auths key must match the destination registry hostname exactly.

How to prevent it

  • Know which auth file each daemonless tool reads and write there.
  • Set REGISTRY_AUTH_FILE explicitly for Buildah/podman in CI.
  • Match the auths hostname to the exact destination registry.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →