[Need help]How to get a username/password (do not refresh)who has the admin permission for openshift registry

[lcnsir]

OCP 4.3

I want to get a user/passowrd. or serviceaccount/token, that has a admin permisson for openshift internal registry

I have a use case that a user with password (will not be expired) can access the OCP image-registry

Tried cases: admin user with token (generated by OC and will be expired,)

oc whoami -t
9XIUr1LqQ7eIzR4DnFVaWundefinedwFAeHtsFnYQcB97u4AiH90

bash-4.4$ curl -k -s -u admin:9XIUr1LqQ7eIzR4DnFVaWundefinedwFAeHtsFnYQcB97u4AiH90 "https://image-registry.openshift-image-registry.svc:5000/openshift/token?service=token-service&scope=registry:catalog:*"
{"access_token":"9XIUr1LqQ7eIzR4DnFVaWundefinedwFAeHtsFnYQcB97u4AiH90","token":"9XIUr1LqQ7eIzR4DnFVaWundefinedwFAeHtsFnYQcB97u4AiH90"}
bash-4.4$ export TOKEN=9XIUr1LqQ7eIzR4DnFVaWundefinedwFAeHtsFnYQcB97u4AiH90
bash-4.4$ curl -k -s -H "Authorization: Bearer $TOKEN " "https://image-registry.openshift-image-registry.svc.cluster.local:5000/v2/_catalog"
{"repositories":["openshift/apicast-gateway","openshift/apicurito-ui","openshift/cli","openshift/cli-artifacts","openshift/dotnet","openshift/dotnet-runtime","openshift/eap-cd-openshift","openshift/fis-java-openshift","openshift/fis-karaf-openshift","openshift/fuse-apicurito-generator","openshift/fuse7-console","openshift/fuse7-eap-openshift","openshift/fuse7-java-openshift","openshift/fuse7-karaf-openshift","openshift/golang","openshift/httpd","openshift/installer","openshift/installer-artifacts","openshift/java","openshift/jboss-amq-62","openshift/jboss-amq-63","openshift/jboss-datagrid65-client-openshift","openshift/jboss-datagrid65-openshift","openshift/jboss-datagrid71-client-openshift","openshift/jboss-datagrid71-openshift","openshift/jboss-datagrid72-openshift","openshift/jboss-datagrid73-openshift","openshift/jboss-datavirt64-driver-openshift","openshift/jboss-datavirt64-openshift","openshift/jboss-decisionserver64-openshift","openshift/jboss-eap64-openshift","openshift/jboss-eap70-openshift","openshift/jboss-eap71-openshift","openshift/jboss-eap72-openshift","openshift/jboss-fuse70-console","openshift/jboss-fuse70-eap-openshift","openshift/jboss-fuse70-java-openshift","openshift/jboss-fuse70-karaf-openshift","openshift/jboss-processserver64-openshift","openshift/jboss-webserver30-tomcat7-openshift","openshift/jboss-webserver30-tomcat8-openshift","openshift/jboss-webserver31-tomcat7-openshift","openshift/jboss-webserver31-tomcat8-openshift","openshift/jboss-webserver50-tomcat9-openshift","openshift/jenkins","openshift/jenkins-agent-maven","openshift/jenkins-agent-nodejs","openshift/mariadb","openshift/modern-webapp","openshift/mongodb","openshift/must-gather","openshift/mysql","openshift/nginx","openshift/nodejs","openshift/openjdk-11-rhel7","openshift/perl","openshift/php","openshift/postgresql","openshift/python","openshift/redhat-openjdk18-openshift","openshift/redhat-sso70-openshift","openshift/redhat-sso71-openshift","openshift/redhat-sso72-openshift","openshift/redhat-sso73-openshift","openshift/redis","openshift/rhdm74-decisioncentral-openshift","openshift/rhdm74-kieserver-openshift","openshift/rhdm74-optaweb-employee-rostering-openshift","openshift/rhpam74-businesscentral-monitoring-openshift","openshift/rhpam74-businesscentral-openshift","openshift/rhpam74-kieserver-openshift","openshift/rhpam74-smartrouter-openshift","openshift/ruby","openshift/tests"]}

this method can has a permission to list all images in the OCP registry but the password generated by

oc whoami -t and this password will be expired.

How could I get a user name and password/token, that will not expired, ? and has a admin permission to the OCP internal registry ? or some service account token with username serviceaccount in the default docker secret created by Openshift in namespaces

[bparees]

this isn't really a registry question, the registry respects the same tokens as the rest of openshift. That said, i'm not aware of service account tokens expiring, so i'd suggest you create a service account, grant it the permissions it needs to access the images you want, and get its token.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/image-registry/issues/238#issuecomment-740204341): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.