Pull image from container registry using fine-grained access token

[mkniazuk123]

Hello, is it possible to pull image from ghcr.io using fine-grained personal access token? I've tried to use the token with read permissions but image pull fails with 403 Forbidden status.

[ossanna16]

Hi there @mkniazuk123 and welcome to our community! Thank you for asking a great question 🙂
While you are waiting for a reply to your question, here are a few things you can do:

To get started, introduce yourself in our official introduction thread
To connect with other new users, check out this Discussion to Meet Your GitHub Community Team, further your GitHub knowledge by working through our GitHub Skill 🆙 exercises, and participate in our weekly Fun Friday chats

[arbuckle]

Was just looking into this myself. From the docs, fine-grained tokens are not supported.
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry

[mkniazuk123]

Thank you @arbuckle

[burn2delete]

I am also having this issue, seems like over the past few days PAT (classic) is now broken for NPM registry also.

[rmehner]

Is this on the road map? It's one of our main use cases for tokens and I'd love to use a finer grained token approach for this.

[michaelmworthington]

Same here. We're looking to enforce fine-grained tokens so we can take advantage of the Enterprise management of the tokens. This will be a blocker to enforcing the removal of classic tokens.

[cledesma]

Fine-grained access token is also not working for me for accessing the Docker registry gchr.io :( This would be great once it works though

[sbkg0002]

Any update on this?

[matejm]

Does GitHub have any plans on fixing this? I think that access token with access only to packages in specific repository is one of the most basic security features they could offer. For example GitLab allows access token generation for individual repo and I think that is much cleaner solution for deployment tokens.

[sammcj]

Any update on this @github?

It seems crazy that in order to publish container images to the Github registry you must use a classic token that has full write access to the repo.

[na-jakobs]

Any updates on this? 🙏

[danbopes]

So looking into this a bit more: I can understand why the devs didn't initially add package support, because packages themselves are tied to an account, or an organization, and not to a specific repository. In our cases, if a package is linked to a repo (And permissions are inherited), it should be fairly trivial to check permission from a fine-grained access token if they have access to read packages that are linked to that repository.

I implore github to add functionality for fine-grained access tokens, as security is important: I don't want to give PAT tokens to my cluster which have more access than what is needed.

[originswift-sys]

Okay, so "repository contents" in fine-grained tokens wasn't it, and I'm never getting back the time I wasted...
Got it 👍

[dummy-andra]

Hi guys, I was able to pull successfully from Github Registry using Fine-Grained token

Repository permissions
Read access to actions, commit statuses, and metadata
Read and Write access to code and pull requests

Can you please try again on your end and let me know how it works?

Thanks,
Andra

[TBG-FR]

Sadly I get Error response from daemon: denied where the Personnal Access Token was working well 😞

However the docker login ghcr.io command answered with Login Succeeded (tried with my username, and also the organization name)

[mkesper]

What pull requests (PRs) have to do with pulling packages? I suspect you had somehow authenticated successfully to the registry before as this does NOT WORK AT ALL.

[mike667]

@dummy-andra Can it work for pushing? I tried to set read-write to all permissions, but actions can't push image to github registry. Got 403.

[dummy-andra]

I used classical token to push to github registry.

I had a project in a repo that used classical token with full permissions and the pipeline from here dit the push.

Other projects in diferite repos that only needed to pull from github registry, were able to do this using fine-grained tokens using the permissions listed in the picture above.

However I even if it worked to pull I faced issues next on the line because "To use the REST API to manage GitHub Packages, you must authenticate using a personal access token (classic)."

So...looks that for now we are stuck using the classic

[EdmundsEcho]

Thank you to everyone that has shared how to grant "package read permission" using the fine-grained access token. With that in mind, I was reminded how the "classic" provides the precise access rights - ironic. Until there is what I would call "direct support" for providing read access to the organization's packages using the fine-grained access token, I might recommend sticking with coke classic token.

[n3mawashi]

Has this worked for anyone recently? I'm trying to get a docker pull working with a fine-grain token but I am having no luck. This is a repo in an org setup.

[singatias]

Any update on this? I refuse to use classic PAT in our organization for security purposes.

[ndrslmpk]

Any updates on this?

[pujux]

this is such an important feature, it's crazy there hasn't been any response from GitHub on this for 2 years

[singatias]

this is such an important feature, it's crazy there hasn't been any response from GitHub on this for 2 years

I've decided to give up on GitHub and start self-hosting gitea for our own repositories, with daily backups on S3 storage at minimal cost. GitHub has too many security issues and a large attack surface. Feel free to copy my solution https://git.openharbor.io/Open-Harbor/gitea

[pujux]

this is such an important feature, it's crazy there hasn't been any response from GitHub on this for 2 years

I've decided to give up on GitHub and start self-hosting gitea for our own repositories, with daily backups on S3 storage at minimal cost. GitHub has too many security issues and a large attack surface. Feel free to copy my solution https://git.openharbor.io/Open-Harbor/gitea

Working on a large scale enterprise project so we're most definitely moving to either Harbor, DockerHub or Azure depending on what our DevOps team chooses to use. I like your alternative though! 🙌

It's just very disappointing this doesn't get any recognition by GitHub as it should be a rather trivial feature which many people and organizations would extremely benefit from...

[singatias]

this is such an important feature, it's crazy there hasn't been any response from GitHub on this for 2 years

I've decided to give up on GitHub and start self-hosting gitea for our own repositories, with daily backups on S3 storage at minimal cost. GitHub has too many security issues and a large attack surface. Feel free to copy my solution https://git.openharbor.io/Open-Harbor/gitea

Working on a large scale enterprise project so we're most definitely moving to either Harbor, DockerHub or Azure depending on what our DevOps team chooses to use. I like your alternative though! 🙌

It's just very disappointing this doesn't get any recognition by GitHub as it should be a rather trivial feature which many people and organizations would extremely benefit from...

Nice I didn't know Harbor as a container registry, looks very interesting :)

[hjannasch]

I also need this feature. Anyone here from github who can place this request higher in the agenda? How long are fine-grained tokens in beta state now? Really annoying...