- For a local machine, use a Docker credentials helper.
- For a CI/CD environment, use a service account and either issue a long-lived static key and save it in your pipeline settings, or get a short-lived token each time your pipeline runs.
Working on a local machine
On your local machine, you can simply configure a Docker credentials helper to work with Container Registry.-
Run the following command:
-
Check that the credentials helper is configured:
-
Open the the file from the previous command output, for example, with the
catcommand: -
Check that the
credHelpersproperty contains the following lines:
-
Open the the file from the previous command output, for example, with the
docker command after this configuration, it requests credentials from nebius, which might require you to log in with the help of the web console.
Working in a CI/CD environment
In your CI/CD environment, you are unlikely to be able to log into the web console. Therefore, you need to create a service account and use it to get credentials. Make sure that the service account is in a group that has at least theviewer role within your tenant; for example, the default viewers group.
There are two ways to work with a service account:
- Issue a long-lived static key for Container Registry.
- Get a short-lived access token in each run of your pipeline job.
Long-lived static key token
To use a long-lived token, you need to issue a static key and store the token in your CI/CD environment configuration.-
Create a static key for your service account:
By default, the key lifetime is 6 months. If you need a different lifetime, add the
--expires-atparameter to this command. It accepts the date of expiration in ISO 8601 format, for example2025-11-23T11:44:43.232142Z. You can set a lifetime of up to 3 years. -
Get the static key token from the
tokenparameter of the output. -
Configure the job that works with Container Registry to use this token:
In this command, set the region of the registry with which the pipeline is working.
Short-lived access token
To use a short-lived access token, you need to get it from Nebius AI Cloud CLI, which should be installed in your CI/CD environment. Access tokens have a lifetime of 12 hours.- Create an authorized key for your service account.
- Install the Nebius AI Cloud CLI in your environment.
-
Configure a profile for your service account in the
.nebius/config.yamlfile. -
Configure the job that works with Container Registry to generate credentials with
nebiusand pipe them directly into adockercommand:In this command, set the region of the registry with which the pipeline is working.
helm registry login:
Troubleshooting
If you are getting the “Permission denied” error when trying to access Container Registry from your local machine, double-check that the Docker credentials helper was configured correctly:-
Check that the system can find the Nebius AI Cloud CLI binary:
It should return a path, for example:If it does not, reinstall Nebius AI Cloud CLI, and then rerun
nebius registry configure-helper. -
Check that the system can find the credentials helper:
It should return a path, for example:If it does not, rerun
nebius registry configure-helper. -
Check that the region of the registry you are trying to access is present in the
.docker/config.jsonfile:If it is not, add it manually or rerunnebius registry configure-helper.