Akka Serverless will need the correct permissions to access your packaged service images. You can set up Docker credentials to secure the username and password for each Docker Registry server.
If your registry requires a password, you need to set Docker credentials per Docker server, per Docker project. The Docker server that hosts the Docker Registry is the first part of the Docker image tag. For example, if your image is at
The following provide details for using:
If your Docker images are deployed to a Docker registry that is not publicly accessible, you will need to configure credentials for Akka Serverless to be able to pull from that registry.
Docker credentials can be added to your project using the
akkasls docker add-credentials command. You will need the following information:
Server: The first part of the Docker image tag. For example, if your image is at
us.gcr.io/my-project/my-image, the server is
https://us.gcr.io. This field is mandatory.
Username: The username. This field is optional.
Email: The email. This field is optional, though most Docker registries require it, sometimes filled with any email address.
Password: The password. This field is mandatory.
Once you have the above, you can add the Docker credentials to Akka Serverless using the following command:
akkasls docker add-credentials --docker-server <my-server> \ --docker-username <my-username> \ --docker-email <my-email> \ --docker-password <my-password>
List Docker credentials with the
akkasls docker list-credentials command:
akkasls docker list-credentials
The results should look something like:
ID SERVER USERNAME EMAIL 89e41d75-aa70-4b9c-805f-ea35ee2622f0 https://us.gcr.io _json_key email@example.com
To set up Docker credentials for Docker Hub, pass
akkasls docker add-credentials the URL https://index.docker.io/v1/` with the username, email, and password for your account. For example,
akkasls docker add-credentials --docker-server https://index.docker.io/v1/ \ --docker-username <my-username> \ --docker-email <my-email> \ --docker-password <my-password>
Docker has rate limits for unauthenticated and free Docker Hub usage. For unauthenticated users, pull rates are limited for individual IP address (e.g., for anonymous users: 100 pulls per 6 hours per IP address). For our outbound traffic, Akka Serverless leverages a limited set of IP addresses. This means that unauthenticated pulls might be rate limited. The limit for unauthenticated pulls is shared with all users of the Akka Serverless platform.
This is why we recommend configuring your registry to provide authentication details . For authenticated users, pull requests are based on that account and not on the IP. For a detailed overview of account limits see this page.
You can check whether you’re using Docker Hub public images by checking the
To add credentials for a Google Container Registry (GCR), you need to create a service account, and supply the JSON key for that service account as the password for the credentials, with a username of
_json_key. Find detailed configuration instructions in the Google documentation . We provide steps below for getting started quickly.
At time of writing, configuring a private
Create the service account, in this case we’re calling the service account
gcloud iam service-accounts create akkaserverless-docker-reader
Grant the GCP storage object viewer role to the service account, to do this you will need your GCP project’s id:
gcloud projects add-iam-policy-binding <gcp-project-id> \ --member "serviceAccount:akkaserverless-docker-reader@<gcp-project-id>.iam.gserviceaccount.com" \ --role "roles/storage.objectViewer"
Generate a key file for your service account:
gcloud iam service-accounts keys create keyfile.json \ --iam-account akkaserverless-docker-reader@<gcp-project-id>.iam.gserviceaccount.com
Configure your Akka Serverless project to use these credentials, by passing the contents of the key file as the password. You will need to specify the GCR server here, either
asia.gcr.io. Below we use
akkasls docker add-credentials --docker-server https://us.gcr.io \ --docker-username _json_key \ --docker-email firstname.lastname@example.org \ --docker-password "$(cat keyfile.json)"
To add credentials for Azure Container Registry (ACR), you need to create a service principal, and supply the username and password generated for it. Detailed instructions on how to configure this can be found here , below are steps for getting started quickly.
Get the full registry ID for subsequent commands for the Azure Container Registry called
ACR_REGISTRY_ID=$(az acr show —name akkaserverless-registry —query id —output tsv)
Create the service principal and return a password. In this case we’re calling the service principal
akkaserverless-docker-readerand use a role that only allows pulling containers from ACR
SP_PASSWD=$(az ad sp create-for-rbac --name http://akkaserverless-docker-reader --scopes $ACR_REGISTRY_ID --role acrpull --query password --output tsv)
The next step is to get the application ID of the service principal which is used as the username for the docker credentials.
SP_APP_ID=$(az ad sp show —id http://akkaserverless-docker-reader —query appId —output tsv)
Configure your Akka Serverless project to use these credentials, by passing in the outputs of the previous commands:
akkasls docker add-credentials --docker-server akkaserverless-registry.azurecr.io \ --docker-username "$SP_APP_ID" \ --docker-password "$SP_PASSWD"