Download manifest of private repository from Docker Registry API

Question

Normally, e.g., for the alpine image, we obtain an auth token via:

curl -i "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/alpine:pull"

Then we can use it to obtain the manifest from the registry:

curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/library/alpine/manifests/latest

When we replace library/alpine with a private repository of ours (ourcompany/ourrepo) obtaining a token still works, however, downloading the manifest results in:

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Docker-Distribution-Api-Version: registry/2.0
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:ourcompany/ourrepo:pull",error="insufficient_scope"
Date: Tue, 26 May 2020 10:32:56 GMT
Content-Length: 168
Strict-Transport-Security: max-age=31536000

{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"ourcompany/ourrepo","Action":"pull"}]}]}

How to circumvent this 401 error?

Do we need to obtain additional tokens? Send authentication credentials in addition? Do something completely differently?

Answer 1

You need to authenticate the call to /token using Basic Authentication https://docs.docker.com/registry/spec/auth/jwt/#getting-a-bearer-token

Then from that you receive a Bearer token which you use as you did with a public repository. The /token endpoint only supports basic authentication.

curl -i -H "Authorization: Basic $BASIC_AUTH" "https://auth.docker.io/token?service=registry.docker.io&scope=repository:myprivaterepo/myprivateimage:pull"
curl -i -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" https://registry-1.docker.io/v2/myprivaterepo/myprivateimage/manifests/latest