Configuring Docker registries
Akka Serverless needs the correct permissions to access container images. Set up Docker credentials to secure the username and password for each Docker Registry server.
If your registry requires a password, set the Docker credentials per Docker server, per Docker project. The Docker server that hosts the Docker Registry is the first part of the Docker image tag. For example, if your image is at
This topic provides details for using:
If your Docker images are deployed to a Docker registry that is not publicly accessible configure credentials for Akka Serverless to pull from that registry.
Add Docker credentials to your project using the
akkasls docker add-credentials command:
akkasls docker add-credentials --docker-server <my-server> \ (1) --docker-username <my-username> \ (2) --docker-email <my-email> \ (3) --docker-password <my-password> (4)
|1||Server: The first part of the Docker image tag. For example, if your image is at
|2||Username: The username. This field is optional.|
|3||Email: The email. This field is optional, though most Docker registries require it, sometimes filled with any email address.|
|4||Password: The password. This field is mandatory.|
List Docker credentials with the
akkasls docker list-credentials command:
akkasls docker list-credentials
The results should look something like:
ID SERVER USERNAME EMAIL 89e41d75-aa70-4b9c-805f-ea35ee2622f0 https://us.gcr.io _json_key firstname.lastname@example.org
Set up Docker credentials for Docker Hub using the
akkasls docker add-credentials command:
akkasls docker add-credentials --docker-server https://index.docker.io/v1/ \ (1) --docker-username <my-username> \ (2) --docker-email <my-email> \ (3) --docker-password <my-password>(4)
|1||Your Docker Hub registry server URL|
|2||Your Docker username|
|3||Your Docker email|
|4||Your Docker account password|
Docker has rate limits for unauthenticated and free Docker Hub usage. For unauthenticated users, pull rates are limited for individual IP address (e.g., for anonymous users: 100 pulls per 6 hours per IP address). For our outbound traffic, Akka Serverless leverages a limited set of IP addresses. This means that unauthenticated pulls might be rate limited. The limit for unauthenticated pulls is shared with all users of the Akka Serverless platform.
This is why we recommend configuring your registry to provide authentication details . For authenticated users, pull requests are based on that account and not on the IP. For a detailed overview of account limits see this page.
Check whether you’re using Docker Hub public images by checking the
Use the following steps for Google Container Registries (GCR).
Before you begin:
Have a GCP account and have the Registry API enabled.
Have the ID that corresponds with a GCP project.
Configuring a private
Create the service account.
In the following example the service account is named
akkaserverless-docker-reader. Run the create command in your terminal if you have the GCP shell tools installed. Or, run the command from the browser using Cloud Shell Terminal in the Google Cloud Platform (GCP) project.
gcloud iam service-accounts create akkaserverless-docker-reader
Grant the GCP storage object viewer role to the service account.
In the following example, replace
<gcp-project-id>with the GCP project ID.
gcloud projects add-iam-policy-binding <gcp-project-id> \ --member "serviceAccount:akkaserverless-docker-reader@<gcp-project-id>.iam.gserviceaccount.com" \ --role "roles/storage.objectViewer"
Generate the service account
gcloud iam service-accounts keys create keyfile.json \ --iam-account akkaserverless-docker-reader@<gcp-project-id>.iam.gserviceaccount.com
Configure your Akka Serverless project to use these credentials, by passing the contents of the key file as the password.
In the following example the GCR server is configured as`us.gcr.io`. This value can be changed to any of the following:
akkasls docker add-credentials --docker-server https://us.gcr.io \ --docker-username _json_key \ --docker-email email@example.com \ --docker-password "$(cat keyfile.json)"
|Find detailed configuration instructions in the Google documentation .|
To add credentials for Azure Container Registry (ACR), create a service principal, and use the generated username and password credentials to authenticate with Akka Serverless.
|For detailed instructions on how to set up an ACR see Pull images from an Azure container registry to a Kubernetes cluster using a pull secret .|
Use the following steps to configure an ACR registry:
Get the full registry ID for subsequent commands for the Azure Container Registry called
ACR_REGISTRY_ID=$(az acr show —name akkaserverless-registry —query id —output tsv)
Create the service principal and return a password. In this case we’re calling the service principal
akkaserverless-docker-readerand use a role that only allows pulling containers from ACR.
SP_PASSWD=$(az ad sp create-for-rbac --name http://akkaserverless-docker-reader --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
Get the application ID of the service principal to use as the username for the docker credentials.
SP_APP_ID=$(az ad sp show —id http://akkaserverless-docker-reader —query appId —output tsv)
Configure your Akka Serverless project to use these credentials, by passing in the outputs of the previous commands:
akkasls docker add-credentials --docker-server akkaserverless-registry.azurecr.io \ --docker-username "$SP_APP_ID" \ --docker-password "$SP_PASSWD"
Amazon ECR is not supported at this time, because Kubernetes native support for ECR requires running the Kubernetes cluster on an EC2 instance running that is running in the same account as the ECR registry. In ths case the ECR only supports short-lived tokens for authentication.