Skip to main content
Credentials in Ankra store authentication information for connecting to external services like Helm registries, container registries, and Git providers. Credentials are securely stored and can be referenced when configuring integrations.

Credential Types

Registry Credentials

Authenticate with Helm chart registries (HTTP and OCI).

Git Credentials

Connect to GitHub, GitLab, and other Git providers.

Registry Credentials

Registry credentials authenticate with Helm chart repositories. They’re used when syncing charts from private registries.

Creating a Registry Credential

1

Navigate to Credentials

Go to Credentials in the Ankra dashboard.
2

Add Credential

Click Add and select Registry as the provider type.
3

Enter Details

  • Name: A unique identifier (e.g., ghcr-auth, harbor-prod)
  • Username: Your registry username
  • Password: Your registry password or access token
4

Save

Click Create to securely store the credential.

Provider-Specific Setup

Create a Personal Access Token:
  1. Go to GitHub → Settings → Developer settings → Personal access tokens
  2. Generate a token with read:packages scope
  3. For pushing charts, also add write:packages
Credential values:
  • Username: Your GitHub username
  • Password: The Personal Access Token
Create a Service Account:
  1. Go to Google Cloud Console → IAM → Service Accounts
  2. Create a new service account
  3. Grant “Artifact Registry Reader” role
  4. Create and download a JSON key
Credential values:
  • Username: _json_key
  • Password: The entire JSON key file contents
Get an auth token:
aws ecr get-login-password --region us-east-1
Credential values:
  • Username: AWS
  • Password: The token from the command above
ECR tokens expire after 12 hours. For production, consider using IAM roles or refresh the token regularly.
Create a Service Principal:
az ad sp create-for-rbac --name ankra-acr-reader \
  --scopes /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ContainerRegistry/registries/{registry} \
  --role acrpull
Credential values:
  • Username: The appId from the output
  • Password: The password from the output
Create an Access Token:
  1. Go to Docker Hub → Account Settings → Security
  2. Create a new Access Token with Read permissions
Credential values:
  • Username: Your Docker Hub username
  • Password: The Access Token (not your password)
Use a robot account (recommended):
  1. Go to your Harbor project → Robot Accounts
  2. Create a new robot account with pull permissions
Credential values:
  • Username: robot$project+name (the robot account name)
  • Password: The robot account secret
Create an API Key or Access Token:
  1. Go to User Profile → Edit Profile
  2. Generate an API Key or create an Access Token
Credential values:
  • Username: Your Artifactory username
  • Password: The API Key or Access Token

Using Credentials

With Helm Registries

When adding a registry, select the credential to use for authentication:
  1. Go to ChartsRepositoriesAdd
  2. Enter the registry URL
  3. Select the credential from the dropdown
  4. Click Add
Ankra will use the credential when syncing charts from the registry.

With GitOps

Credentials are automatically used when syncing configurations to GitHub repositories connected via OAuth.

Managing Credentials

View Credentials

Go to Credentials to see all stored credentials:
  • Name and type
  • Creation date
  • Associated registries (if any)

Update a Credential

  1. Click on the credential name
  2. Update the username or password
  3. Click Save
Updating a credential automatically applies to all registries using it. No need to reconfigure registries.

Delete a Credential

  1. Go to Credentials
  2. Click the menu (⋮) next to the credential
  3. Select Delete
Deleting a credential will break authentication for any registries using it. Update those registries first.

Security

Storage

Credentials are stored securely using HashiCorp Vault:
  • Encrypted at rest
  • Access controlled per organization
  • Audit logging for all access

Best Practices

Use Tokens, Not Passwords

Prefer access tokens over account passwords. Tokens can be scoped and revoked independently.

Minimum Permissions

Grant only the permissions needed. For chart sync, read-only access is sufficient.

Rotate Regularly

Rotate credentials periodically, especially for production registries.

Separate by Environment

Use different credentials for dev, staging, and production registries.

Troubleshooting

Authentication Errors

ErrorCauseSolution
401 UnauthorizedInvalid credentialsVerify username and password/token
403 ForbiddenInsufficient permissionsCheck the token has required scopes
Token expiredTemporary tokens (ECR)Refresh the token
Connection refusedNetwork issueCheck firewall and network access

Common Issues

“unauthorized: authentication required”
  • The credential wasn’t selected when adding the registry
  • Edit the registry and select the correct credential
“invalid username/password”
  • The token may have been revoked or expired
  • Regenerate the token and update the credential
“permission denied”
  • The token doesn’t have read access to the repository
  • Update the token permissions or use a different account

API Access

Manage credentials via the Ankra API: 
import requests

headers = {"Authorization": f"Bearer {TOKEN}"}

# List credentials
response = requests.get(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers
)

# Create credential
response = requests.post(
    "https://platform.ankra.app/api/v1/credentials",
    headers=headers,
    json={
        "name": "my-registry-auth",
        "provider": "registry",
        "username": "myuser",
        "password": "mytoken"
    }
)
See the API Reference for complete documentation.