Registry β
SSM supports the following registries:
- ACR (Azure Container Registry)
- CUSTOM (Self-hosted Registry)
- ECR (Amazon Elastic Container Registry)
- GCR (Google Container Registry)
- GHCR (GitHub Container Registry)
- GITLAB (GitLab Container Registry)
- HUB (Docker Hub)
- LSCR (LinuxServer Container Registry)
- Quay
βΉοΈ Default registries
By default, the following registries will be available using anonymous access: ECR, GHCR, GCR, HUB, QUAY
Configuring a registry β
1. Go to settings, "Registries" tab β
2. Select a predefined integration or custom integration (see below) β
ACR (Azure Container Registry) β
The acr registry lets you configure ACR integration.
Variables β
| Name | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
clientid | π΄ | Service Principal Client ID | See Service Principal Auth | |
clientsecret | π΄ | Service Principal Secret | See Service Principal Auth |
Example β
How to create Registry credentials on Microsoft Azure Platform β
Create a Service Principal β
Follow the official Azure documentation.
Get the Client Id and the Client Secret of the created Service Principal β
Go to your Container Registry and click on the Access Control (IAM) Menu β
Click to Add a role assignment β
Select the AcrPull role and assign it to your Service Principal 
CUSTOM (Self-hosted Docker Registry) β
The custom registry lets you configure a self-hosted Docker Registry integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
url | π΄ | Registry URL (e.g. http://localhost:5000) | ||
login | βͺ | Login (when htpasswd auth is enabled on the registry) | password must be defined | |
password | βͺ | Password (when htpasswd auth is enabled on the registry) | login must be defined | |
auth | βͺ | Htpasswd string (when htpasswd auth is enabled on the registry) | login/password must not be defined |
Examples β
Configure for anonymous access β
Configure for Basic Auth β
ECR (Amazon Elastic Container Registry) β
The ecr registry lets you configure ECR integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
region | π΄ | A valid AWS Region Code | AWS Region list | |
accesskey | π΄ | A valid AWS Access Key Id | Standard AWS Credentials | |
secretaccesskey | π΄ | A valid AWS Secret Access Key | Standard AWS Credentials |
!> The AmazonEC2ContainerRegistryReadOnly Policy (or higher) must be attached to the AWS IAM User.
Examples β
How to create an AWS IAM user and get programmatic access β
1. Login to yourΒ Go to the IAM Service from your AWS Console and create a new user β
2. Attach the AmazonEC2ContainerRegistryReadOnly policy to the user β
3. Get your AccessKeyId and your Secret Access Key and configure SSM with them β
FORGEJO β
The forgejo registry lets you configure a self-hosted Forgejo integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
url | π΄ | Registry URL (e.g. https://forgejo.acme.com) | ||
login | π΄ | Gitea username | password must be defined | |
password | π΄ | Gitea password | login must be defined | |
auth | βͺ | Htpasswd string (when htpasswd auth is enabled on the registry) | login/password must not be defined |
Examples β
Configure β
GCR (Google Container Registry) β
The gcr registry lets you configure GCR integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
clientemail | βͺ | Service Account Client Email (required for private images access) | See Service Account credentials | |
privatekey | βͺ | Service Account Private Key (required for private images access) | See Service Account credentials |
Examples β
Configure for authenticated access β
How to create a Service Account on Google Cloud Platform β
1. Go to theΒ Service Account page β
2. Create a new Service Account β
3. Add the Container Registry Service Role β
4. Save the Service Account β
5. Create a new key for the newly created Service Account β
6. Download the keyfile JSON file and store it securely β
7. Open the JSON file, get the client_email and private_key values and configure SSM with them β
GHCR (GitHub Container Registry) β
The ghcr registry lets you configure GHCR integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
username | βͺ | GitHub username | ||
token | βͺ | GitHub token | GitHub password or GitHub Personal Token |
Examples β
Configure to access private images (credentials needed) β
How to create a GitHub Personal Token β
Go to your GitHub settings and open the Personal Access Token tab β
Click on Generate new token β
Choose an expiration time & appropriate scopes (read:packages is only needed for SSM) and generate. 
Copy the token & use it as the token value β
GITEA β
The gitea registry lets you configure a self-hosted Gitea integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
url | π΄ | Registry URL (e.g. https://gitea.acme.com) | ||
login | π΄ | Gitea username | password must be defined | |
password | π΄ | Gitea password | login must be defined | |
auth | βͺ | Htpasswd string (when htpasswd auth is enabled on the registry) | login/password must not be defined |
Examples β
Configure β
GitLab (GitLab Container Registry) β
The gitlab registry lets you configure GitLab integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
url | π΄ | GitLab Registry base URL | https://registry.gitlab.com | |
authurl | π΄ | GitLab Authentication base URL | https://gitlab.com | |
token | π΄ | GitLab Personal Access Token |
Examples β
Configure to access images from gitlab.com β
Configure to access images from self-hosted GitLab instance β
How to create a GitLab Personal Access Token β
Go to your GitLab settings and open the Personal Access Token page β
Enter the details of the token to be created β
Choose an expiration time & appropriate scopes (read_registry is only needed for SSM) and generate. 
Copy the token & use it as the token value β
HUB (Docker Hub including private repositories) β
The hub registry lets you configure Docker Hub integration.
Currently, the supported credentials are:
- Docker Hub auth + Docker Hub Access Token
- Docker Base64 credentials (like in .docker/config.json)
- Docker Hub auth + Docker Hub password (not recommended)
!> By default, if you don't configure any registries, SSM will configure a default one with anonymous access.
Don't forget to configure authentication if you're using Docker Hub Private Repositories.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
login | βͺ | A valid Docker Hub Login | token must be defined | |
password | βͺ | A valid Docker Hub Token | login must be defined | |
token | βͺ | A valid Docker Hub Token (deprecated; replaced by password) | login must be defined | |
auth | βͺ | A valid Docker Hub Base64 Auth String | login/token must not be defined |
Examples β
Configure Authentication using Login/Token β
1. Login to yourΒ Docker Hub Account β
2. Go to yourΒ Security Settings β
- Create a new Access Token
- Copy it and use it as the
tokenvalue
Configure Authentication using Base64 encoded credentials β
1. Create an Access Token β
See above "Configure Authentication using Login/Token"
2. Encode with Base64 β
Concatenate $auth:$password and encode with Base64.
For example,
- if your auth is
johndoe - and your password is
2c1bd872-efb6-4f3a-81aa-724518a0a592 - the resulting encoded string would be
am9obmRvZToyYzFiZDg3Mi1lZmI2LTRmM2EtODFhYS03MjQ1MThhMGE1OTI=
LSCR (LinuxServer Container Registry) β
The lscr registry lets you configure LSCR integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
username | π΄ | GitHub username | ||
token | π΄ | GitHub token | GitHub password or GitHub Personal Token |
Examples β
How to create a GitHub Personal Token β
Go to your GitHub settings and open the Personal Access Token tab β
Click on Generate new token β
Choose an expiration time & appropriate scopes (read:packages is only needed for SSM) and generate. 
Copy the token & use it as the token value β
Quay β
The quay registry lets you configure Quay integration.
Variables β
| Env var | Required | Description | Supported values | Default value when missing |
|---|---|---|---|---|
namespace | βͺ | Quay namespace | ||
account | βͺ | Quay account | ||
token | βͺ | Quay token |
Examples β
Configure to access private images (credentials needed) β
How to create a Quay.io robot account β
Go to your Quay.io settings and open the Robot Accounts tab β
Click on Create Robot Account β
Choose a name & create it 
Copy the part before the + sign and set it as the namespace env var β
Copy the part after the + sign and set it as the account env var β
Copy the token value and set it as the token env var β
Deleting a registry β
Deleting a custom registry β
To delete a custom registry, simply click on "Delete" on the tile of your custom registry 
Resetting a default registry β
To reset a default registry, simply click on "Reset" on the tile of your custom registry 