IBM Cloud Container Registry will not accept UAA tokens for authentication starting August 12, 2020.

IBM Cloud Container Registry has supported IAM as its main form of authentication for several years now. In parallel, IBM Cloud Container Registry continued to support UAA and registry tokens as deprecated forms of authentication. On August 12, 2020, UAA tokens will no longer be accepted for authenticating to IBM Cloud Container Registry. Registry tokens will continue to work, but an end of support for registry tokens will come in the near future. All customers who are not already doing so should begin using IAM for authenticating to IBM Cloud Container Registry.

Next steps to use IAM for authentication

If you have any automation that uses registry or UAA tokens to authenticate to IBM Cloud Container Registry, you need to update this to use IAM instead. For example, any scripts that perform an explicit docker login and pass something other than the IAM usernames mentioned here must be updated to instead pass a form of IAM authentication. API keys are the recommended approach for automation. Note that ibmcloud cr login performs a docker login under the covers, but this is already updated to log in with IAM.

Kubernetes clusters can use image pull secrets to pull images from private registries. If any Kubernetes namespaces in your cluster rely on pull secrets that contain a registry or UAA token, these need to be replaced with pull secrets that contain an IAM API key. 

IBM Cloud Kubernetes Service clusters created before February 25, 2019, do not have IAM API keys in pull secrets and, therefore, need to be updated. This update is automated by the IBM Cloud Container Registry CLI plugin, and instructions can be found here. Clusters created after February 25, 2019, already contain updated pull secrets. However, if you copied pull secrets containing registry tokens to any Kubernetes namespaces other than default, you will need to ensure that those pull secrets contain an API key.

Summary

On August 12, 2020, UAA tokens will no longer be accepted to authenticate to IBM Cloud Container Registry. Registry tokens will continue to work but are deprecated, and an end of support will come in the near future. Ensure that you are not using UAA tokens for authentication and consider removing all uses of registry tokens and migrating fully to IAM. API keys are the recommended approach for automation and pull secrets.

There are lots of benefits to using IAM API keys instead of registry tokens. With IAM API keys, you can add IAM policies for more fine-grained control over access. For instance, you can create IAM access policies to restrict permissions to specific registry namespaces so that a cluster can only pull images from those namespaces.