Automate workflows with Robot Accounts in STACKIT Container Registry
Zuletzt aktualisiert am
For CI/CD pipelines, infrastructure-as-code scripts, or any other form of automation, using personal user credentials is a security anti-pattern. STACKIT Container Registry provides a secure and manageable solution for programmatic access through Robot Accounts. These are non-human service accounts designed specifically for automation.
A project Robot Account’s permissions are limited to the project in which it was created. This is ideal for a CI/CD pipeline that builds and pushes an image for a single application, as it ensures the pipeline cannot access any other projects.
Create a project Robot Account
Section titled “Create a project Robot Account”- Navigate to your project and select the Robot Accounts tab.
- Click New Robot Account.
- Provide a name and an optional description.
- Set an expiration date for the token. It is a security best practice to set an expiration period to enforce regular token rotation.
- Assign the specific permissions the Robot Account needs. For example, a build pipeline typically requires
repository:pushandrepository:pull.

- After creation, you see the Robot Account’s token (secret). You must copy or export this token immediately. It is not stored and cannot be retrieved later.
- Store this token securely in your CI/CD system’s secret manager.
Use the Robot Account
Section titled “Use the Robot Account”To authenticate in a script, use the docker login command with the Robot Account’s full name and its secret. The Robot Account’s name follows the format <prefix><project_name>+<account_name>.
docker login <stackit-cr-hostname> -u "<robot-account-full-name>" -p "<robot-secret>"Important Note: If using a Robot Account, you must use a backslash \ in front of the $ character. For example, if the user is robot$testrobot, the syntax should be :
docker login --username robot\$testrobotRobot account permission reference
Section titled “Robot account permission reference”The following table provides a reference for common permissions that can be assigned to a robot
| Resource | Action | Description |
|---|---|---|
| repository | pull | Allows pulling artifacts (images, charts) from a repository. |
| repository | push | Allows pushing artifacts to a repository. (Requires pull permission). |
| artifact | delete | Allows deleting an artifact from a repository. |
| artifact | read | Allows reading artifact metadata. |
| artifact-label | create | Allows adding a label to an artifact. |
| scan | create | Allows initiating a vulnerability scan on an artifact. |
| scan | read | Allows reading the vulnerability report of an artifact. |
| tag-retention | create | Allows creating a tag retention rule for a project. |