Skip to content

Authentication to the Registry

The registry distinguishes two authentication methods depending on whether you use the web interface or the command line.

Context Username Password
Web interface (registry.isima.fr) UCA account (SSO) UCA password
Command line (docker login) Your username CLI secret (not your UCA password)

Web interface: login via SSO

Access to the web interface is done via the Single Sign-On (SSO) of ISIMA / LIMOS.

  1. Go to https://registry.isima.fr
  2. You will be redirected to the ISIMA / LIMOS SSO
  3. Authenticate with your UCA account (the same one used for email, Moodle, Teams…)

First login

On your first login, your account is automatically created in the registry. You can then create your own projects.

Command line: the CLI secret

Your UCA password does not work with docker login

Command-line tools (docker, podman, helm…) cannot handle SSO/OIDC redirection. Harbor therefore provides an alternative dedicated identifier: the CLI secret.

Retrieve your CLI secret

  1. Log in to the web interface (see above)
  2. Click on your username at the top right, then User Profile
  3. The CLI secret is displayed; click on the icon to copy it

User profile and CLI secret

Authenticate with docker login

Use your username and the CLI secret as the password:

docker login registry.isima.fr -u <your_login>
# Password: paste your CLI secret here

Non-interactive authentication (scripts, CI)

To avoid entering the secret interactively, pass it via standard input. This is the recommended method as it does not write the secret to the shell history:

echo "$CLI_SECRET" | docker login registry.isima.fr -u <your_login> --password-stdin

For long-term access (pipelines, servers), however, prefer a robot account rather than your personal CLI secret.

Regenerate your CLI secret

If your secret is compromised or lost:

  1. In User Profile, click the icon
  2. Choose to automatically generate a new secret, or enter one manually

Only one CLI secret at a time

Each user has only one CLI secret. As soon as a new secret is generated, the old one is immediately invalidated: remember to update your existing docker login commands.

The CLI secret is linked to your OIDC authentication token

Harbor automatically refreshes this token, so the CLI secret remains valid even after expiration. However, if the refresh fails, the secret becomes invalid: log in again to the web interface via SSO so that Harbor can obtain a new token and reactivate the secret.