Oracle Cloud Infrastructure Documentation

Vault Secrets for Image Pull Authorization

You can host container images in private registries or repositories that require authorization in order to pull the images. We recommend that you store your credentials using the Oracle Cloud Infrastructure Vault service for enhanced security and ease of credentials management.

Alternatively, you can provide a username and password to the Oracle Cloud Infrastructure Container Instances service directly, see the CreateBasicImagePullSecretDetails for more information.

Create Credentials

The type of username and password that is required to pull your image depends on the registry. The credentials are usually the same that you use for the registry through the Docker CLI. For example, they would be the same credentials that you use for docker login before you pull the image with docker pull.

Vault secrets for image authorization is intended for use with external registries, such as Docker Hub. For private repositories in Container Registry, use IAM policies based upon Container Instances resource principals. For more information, see Container Instances Policy Examples.

Create Your Vault Secret

Create a vault secret that contains the image pull credentials. The secret must be a JSON string with username and password fields. Any additional fields will be ignored. Take note of the OCID of the secret that you create because you will need the OCID later in the process.

For example, if your username is "container-instance-user" and your password is "<password>", then the secret will be:

{
 "username": "container-instance-user",
 "password": "<password>"
}
Vault secrets are versioned. Container Instances always uses the latest version of a secret.

Allow Container Instances to Read Vault Secrets

The container instances that you create must have permission to read the vault secrets provided for image authorization.

  1. Create a dynamic group that includes the container instances that you want to grant read permission.

    The following example dynamic group matching rule will include all container instances in your tenancy.

    ALL {resource.type='computecontainerinstance'}

  2. Create a policy that allows the dynamic group to read the vault secrets in question. Specifically, the group must be able to read the vault secret bundles.

    The following example policy allows the given dynamic group to read all vault secret bundles in your tenancy. Replace <dynamic-group-name> with the actual name of your dynamic group.

    allow dynamic-group <dynamic-group-name> to read secret-bundles in tenancy

These policies are basic examples that give relatively broad access. You can use standard IAM policy mechanisms to edit these policies to create stricter permissions, such as limiting the scope to container instances or secrets in a single compartment. For more information, see Managing Policies.

Create Your Container Instance Using Vault Secrets for Image Authorization

If you want to use vault secrets for image authorization, use the Container Instances API, SDKs, or CLI.

When you build the request to create the container instance, provide a CreateVaultImagePullSecretDetails entry in the imagePullSecrets field of CreateContainerInstanceDetails.

The following example shows an abbreviated CreateContainerInstanceDetails.:

{
  "containers": [
    {
      "imageUrl": "example.registry.io/container-instance-user/example-image:latest",
      < ... other fields ... >
    }
  ],
  "imagePullSecrets": [
    {
      "secretType": "VAULT",
      "registryEndpoint": "example.registry.io/container-instance-user",
      "secretId": "ocid1.vaultsecret.oc1.<region_code>.<unique_ID>"
    }
  ],
  < ... other fields ... >
}

When Container Instances pulls the image example.registry.io/container-instance-user/example-image:latest, it uses the credentials stored in the secret with the OCID ocid1.vaultsecret.oc1.<region_code>.<unique_ID>.

Image pull secrets are defined separately from the container specifications. If registryEndpoint is a prefix of imageUrl, it is a match. Multiple matches are allowed. When Container Instances pulls the image, the matching image pull secrets will be tried in sequence until the pull is successful.

In the following example, the matching secrets for image example.registry.io/abc/one:latest are secret.ocid.abc and secret.ocid.one. And the matching secrets for image example.registry.io/abc/two:latest are secret.ocid.abc and secret.ocid.two.

{
  "containers": [
    {
      "imageUrl": "example.registry.io/abc/one:latest"
    },
    {
      "imageUrl": "example.registry.io/abc/two:latest"
    },
  ],
  "imagePullSecrets": [
    {
      "secretType": "VAULT",
      "registryEndpoint": "example.registry.io/abc",
      "secretId": "secret.ocid.abc"
    },
    {
      "secretType": "VAULT",
      "registryEndpoint": "example.registry.io/abc/one",
      "secretId": "secret.ocid.one"
    },
    {
      "secretType": "VAULT",
      "registryEndpoint": "example.registry.io/abc/two",
      "secretId": "secret.ocid.two"
    },
  ]
}