I'm trying to delete an image tag from my private docker registry mydockerregistry.com within a bash script. Authentication is done through registry web mydockerregistry.com:8080, so I get the token first using
TOKEN=`curl -s \
-H "Content-Type: application/json" --user myuser:mypassword \
"http://mydockerregistry.com:8080/api/auth?service=mydockerregistry.com&scope=repository:my-repo/:*" \
| jq -r .token`
WIth this token I can browse the registry, get the tag I want to delete, etc. Using the tag number I get the digest using
DIGEST=`curl -vk \
-H "Authorization:Bearer $TOKEN" \
-H "Accept:application/vnd.docker.distribution.manifest.v2+json" \
https://mydockerregistry.com/v2/my-repo/manifests/latest 2>&1 \
|grep "< Docker-Content-Digest:" |awk '{print $3}'`
But then, when I run
curl \
-H "Authorization:Bearer $TOKEN" \
-H "Accept:application/vnd.docker.distribution.manifest.v2+json" \
-X DELETE \
https://mydockerregistry.com/v2/my-repo/manifests/$DIGEST
I get the error:
< HTTP/1.1 401 Unauthorized
< Content-Type: application/json; charset=utf-8
< Docker-Distribution-Api-Version: registry/2.0
< Www-Authenticate: Bearer realm="mydockerregistry.com:8080/api/auth",service="mydockerregistry.com",scope="repository:my-repo:*",error="insufficient_scope"
< X-Content-Type-Options: nosniff
< Date: Mon, 18 Oct 2021 21:29:00 GMT
< Content-Length: 160
<
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"my-repo","Action":"*"}]}]}
* Connection #0 to host mydockerregistry.com left intact
I tried changing scope to pull; pull,push, but I always get the 401 still doing exactly what Www-Authenticate header says.
What am I missing?
Well, I finally found the problem.
The user I was trying to run the script with has a role 'admin' wich only had push and pull permissions, no *.
I created a new role called 'delete-repo' with permissions ' pull, push, * ' I assigned it to my user, and the magic happened.
Thank you for your help!