Docker Hub Dynamic Secrets

You can define a Docker Hub Dynamic Secret to generate just-in-time personal access tokens for your Docker repository.

Prerequisites

  • An Akeyless Gateway.

  • Docker privileged user to be used to generate access tokens.

Create a Dynamic Docker Hub Secret from the CLI

👍

Note

We recommend using dynamic secrets with Targets. While it saves time for multiple secret-level configurations by not requiring you to provide an inline connection string each time, it is also important for security streamlining. Using a target allows you to rotate credentials without breaking the credential chain for the objects connected to the server used, using inline will force you to go and change the credentials in each individual item instead of just the target.

To create a dynamic Docker Hub secret from the CLI using an existing Docker Hub Target, run the following command:

akeyless dynamic-secret create dockerhub \
--name <Dynamic Secret Name> \
--target-name <Target Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read'

Or using an inline connection string:

akeyless dynamic-secret create akeyless dynamic-secret get-valuedockerhub \
--name <Dynamic Secret Name> \
--gateway-url 'https://<Your-Akeyless-GW-URL:8000>' \
--dockerhub-token-scopes 'repo:admin,repo:write,repo:read,repo:public_read' \      
--dockerhub-username <Username for docker repository> \
--dockerhub-password <Password for docker repository>

Where:

  • name: A unique name of the dynamic secret. The name can include the path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  • target-name: A name of the target that enables connection to the Docker repository. The name can include the path to the virtual folder where this target resides.

  • gateway-url: Akeyless Gateway Configuration Manager URL (port 8000).

  • dockerhub-token-scopes: A comma-separated list of scopes that could be assigned to the temporary access token. Available options are repo:admin, repo:write, repo:read, repo:public_read.

Each permission scope includes lower-permission scopes, i.e., repo:admin includes all the rest of the permission scopes, repo:write contains repo:read and repo:public_read, etc.

👍

Note

If you don't have a configured Docker Hub target yet, you should create it first.

Inline connection string

If you don't have Docker Hub Target yet, you can use the command with your Docker Hub connection string:

  • dockerhub-username: A username of the privileged user of the Docker repository.

  • dockerhub-password: A password of the privileged user of the Docker repository.

You can find the complete list of parameters for this command in the CLI Reference - Dynamic Secrets section.

Fetch a Dynamic Docker Hub Secret value from the CLI

To fetch a dynamic Docker Hub secret value from the CLI, run the following command:

akeyless dynamic-secret get-value --name <Path to your dynamic secret>

Create a Dynamic Docker Hub Secret in the Akeyless Console

👍

Note

To start working with dynamic secrets from the Akeyless Console, you need to configure the Gateway URL thus enabling communication between the Akeyless SaaS and the Akeyless Gateway.

To create dynamic secrets directly from the Akeyless Gateway, you can use the Gateway Configuration Manager.

  1. Log in to the Akeyless Console, and go to Items > New > Dynamic Secret.

  2. Select the Docker Hub secret type and click Next.

  3. Define a Name of the dynamic secret, and specify the Location as a path to the virtual folder where you want to create the new dynamic secret, using slash / separators. If the folder does not exist, it will be created together with the dynamic secret.

  4. Define the remaining parameters as follows:

  • Target mode: In this section, you can either select an existing Docker Hub Target or specify details of the target Docker repository explicitly.

    • Use the Choose an existing target drop-down list to select the existing Docker Hub Target.

    • Select the Explicitly specify target properties option, to provide details of the target Docker repository in the next step.

  • Token Scopes: Select permission scopes to assign to the token. Each permission scope includes lower-permission scopes, i.e., Admin includes all the rest of the permission scopes, Write contains Read and Public, etc.

  • User TTL: Provide a time-to-live value for a dynamic secret (i.e., a token). When TTL expires, the token becomes obsolete.

  • Time Unit: Select the time unit (seconds,minutes, hours) for the TTL value.

  • Gateway: Select the Gateway through which the dynamic secret will create users.

  • Protection key: To enable Zero-Knowledge, select a key with a Customer Fragment. For more information about Zero-Knowledge, see Implement Zero Knowledge

  1. If you checked the Explicitly specify target properties radio button, click Next.

  2. Provide details of the target Docker repository credentials:

  • Username: Provide the username of the Docker repository user with privileges to create temporary access tokens.

  • Password: Provide the password of the privileged user.

  1. Click Finish.

Fetch a Dynamic Docker Hub Secret value from the Akeyless Console

  1. Log in to the Akeyless Console, and go to Items.

  2. Browse to the folder where you created a dynamic secret.

  3. Select the secret and click Get Dynamic Secret button.