Docker Config Reference (docker login / logout)

Purpose of the docker login Command

The docker login command serves to authenticate a user's credentials with a Docker registry, enabling secure access for pushing and pulling images. By default, it targets Docker Hub, but it can be configured for other public or private registries, such as Amazon ECR, Google Container Registry, or self-hosted options. Authentication typically involves providing a username and password (or access token), which Docker stores securely in a local credential store to facilitate subsequent operations without repeated prompts. This command is essential for managing private repositories, ensuring compliance with access controls, and integrating with CI/CD pipelines where automated image handling is required. It enhances security by avoiding plaintext credential exposure and supports token-based authentication for enhanced protection in enterprise environments.

5 Examples of Using the docker login command

Example 1: Logging into Docker Hub with Username and Password

docker login -u yourusername -p yourpassword

This command authenticates with Docker Hub using a provided username and password, suitable for initial setup on a personal development machine to access public or private repositories.

Example 2: Logging into a Private Registry with Token Authentication

docker login myprivateregistry.example.com --username token --password youraccesstoken

This command logs into a custom private registry using a token instead of a traditional password, which is common in secure enterprise environments where API keys or service accounts are used for automated builds.

Example 3: Logging into AWS ECR with Region Specification

docker login -u AWS -p $(aws ecr get-login-password --region us-west-2) public.ecr.aws

This command authenticates with Amazon Elastic Container Registry (ECR) by retrieving a temporary password via the AWS CLI, ideal for cloud-based workflows integrating with AWS services in a specific region.

Example 4: Logging into Google Container Registry (GCR) Using JSON Key

cat /path/to/key.json | docker login -u _json_key --password-stdin gcr.io

This command logs into Google Container Registry using a service account JSON key piped from stdin, which is effective for CI/CD pipelines on Google Cloud Platform where key files provide secure, non-interactive access.

Example 5: Logging into a Self-Hosted Registry with Custom CA Certificate

docker login --tls-verify myregistry.local:5000 -u admin -p securepass

This command authenticates with a self-hosted registry while enforcing TLS verification (assuming a custom CA is configured), appropriate for internal networks requiring encrypted connections and certificate validation for enhanced security.

5 Examples of Using the Docker Logout Command

docker logout

This command executes a logout from the default Docker registry, which is Docker Hub (registry-1.docker.io). It removes any stored authentication credentials for the current user from the Docker credential store, ensuring that subsequent push or pull operations to Docker Hub will require re-authentication. This is particularly useful for security purposes, such as after completing operations on a shared machine or when rotating credentials.

docker logout myregistry.example.com

This command logs out from a specified private Docker registry located at myregistry.example.com. By providing the server URL, it targets the removal of credentials exclusively for that registry, leaving credentials for other registries, such as Docker Hub, intact. This approach is essential in environments managing multiple registries to maintain isolated security controls.

docker logout gcr.io

This command performs a logout from Google Container Registry (GCR) at gcr.io. It clears the stored access tokens or credentials associated with the Google Cloud account, preventing unauthorized use in future sessions. This is advisable when switching between Google Cloud projects or concluding deployment activities to uphold access management best practices.

docker logout --help

This command displays the help documentation for the docker logout command, including available options, usage syntax, and descriptions. It serves as a reference tool for users seeking clarification on command functionality without executing an actual logout, thereby supporting informed usage in scripting or administrative tasks.

docker logout quay.io

This command logs out from the Quay.io registry, removing any stored authentication details for that specific server. It is beneficial for users working with Red Hat's container registry, ensuring that credentials are not persisted after sessions involving image pushes or pulls, which enhances security in multi-registry workflows.