Skip to content

security: update OATs UI flow #22197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 11, 2025
Merged

security: update OATs UI flow #22197

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4fab1ea
update OATs UI flow
sarahsanders-docker Mar 7, 2025
c2a899f
Update content/manuals/security/for-admins/access-tokens.md
sarahsanders-docker Mar 11, 2025
2b3eb5d
fix nits and improve overall doc
sarahsanders-docker Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 37 additions & 29 deletions content/manuals/security/for-admins/access-tokens.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,11 @@

> [!WARNING]
>
> Organization access tokens (OATs) are not intended to be used with Docker
> Desktop, and are incompatible.
> Organization access tokens (OATs) are not intended to be used with Docker
> Desktop or Docker Scout, and are incompatible.
>
> OATs are also currently incompatible with the following services:
>
> - Docker Scout
>
> If you use Docker Desktop or one of these services, you must use personal access tokens instead.
> If you use Docker Desktop or Docker Scout, you must use personal
> access tokens instead.
An organization access token (OAT) is like a [personal access token
(PAT)](/security/for-developers/access-tokens/), but an OAT is associated with
Expand All @@ -37,12 +34,14 @@
if you find any suspicious activity.
- You can limit what each OAT has access to, which limits the impact if an OAT
is compromised.
- All company or organization owners can manage OATs. If one owner leaves the
- All company or organization owners can manage OATs. If one owner leaves the
organization, the remaining owners can still manage the OATs.
- OATs have their own Docker Hub usage limits that don't count towards your
personal account's limits.

If you have existing [service accounts](/docker-hub/service-accounts/), Docker recommends that you replace the service accounts with OATs. OATs offer the following advantages over service accounts:
If you have existing [service accounts](/docker-hub/service-accounts/),
Docker recommends that you replace the service accounts with OATs. OATs offer
the following advantages over service accounts:

- Access permissions are easier to manage with OATs. You can assign access
permissions to OATs, while service accounts require using teams for access
Expand All @@ -60,13 +59,14 @@

> [!IMPORTANT]
>
> Treat access tokens like a password and keep them secret. Store your tokens
> Treat access tokens like a password and keep them secret. Store your tokens
> securely in a credential manager for example.
Company or organization owners can create up to 10 organization access tokens
(OATs) for organizations with a Team subscription and up to 100 OATs for
organizations with a Business subscription. Expired tokens count towards the
total amount of tokens.
Company or organization owners can create up to:
- 10 OATs for organizations with a Team subscription
- 100 OATs for organizations with a Business subscription

Expired tokens count towards the total amount of tokens.

To create an OAT:

Expand All @@ -78,23 +78,31 @@

4. Select **Generate access token**.

5. Add a label and optional description for your token. Use something that indicates the use case or purpose of the token.
5. Add a label and optional description for your token. Use something that
indicates the use case or purpose of the token.

6. Select the expiration date for the token.

7. Select the repository access for the token.

The access permissions are scopes that set restrictions in your repositories.
For example, for Read & Write permissions, an automation pipeline can build
an image and then push it to a repository. However, it can't delete the
repository. You can select one of the following options:

- **Public repositories (read only)**
- **All repositories**: You can select read access, or read and write access.
- **Select repositories**: You can select up to 50 repositories, and then
select read access, or read and write access for each repository.

8. Select **Generate token** and then copy the token that appears on the screen
7. Expand the **Repository** drop-down to set access permission
scopes for your token. To set Repository access scopes:
1. Optional. Select **Read public repositories**.
2. Select **Add repository** and choose a repository from the drop-down.
3. Set the scopes for your repository — **Image Push** or
**Image Pull**.
4. Add more repositories as needed. You can add up to 50 repositories.

8. Optional. Expand the **Organization** drop-down and select the
**Allow management access to this organization's resources** checkbox. This

Check warning on line 95 in content/manuals/security/for-admins/access-tokens.md

View workflow job for this annotation

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.RecommendedWords] Consider using 'let' instead of 'Allow'

Raw Output:
{"message": "[Docker.RecommendedWords] Consider using 'let' instead of 'Allow'", "location": {"path": "content/manuals/security/for-admins/access-tokens.md", "range": {"start": {"line": 95, "column": 3}}}, "severity": "INFO"}
setting enables organization management scopes for your token. The following
organization management scopes are available:
- **Member Edit**: Edit members of the organization
Copy link
Contributor

@aevesdocker aevesdocker Mar 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

title case in the ui 😱
must get this fixed

- **Member Read**: Read members of the organization
- **Invite Edit**: Invite members to the organization
- **Invite Read**: Read invites to the organization
- **Group Edit**: Edit groups of the organization
- **Group Read**: Read groups of the organization

9. Select **Generate token**. Copy the token that appears on the screen
and save it. You won't be able to retrieve the token once you exit the
screen.

Expand Down Expand Up @@ -123,7 +131,7 @@

3. Under **Security and access**, select **Access tokens**.

4. Select the actions menu on the far right of a token row, then select
4. Select the actions menu in the token row, then select
**Deactivate**, **Edit**, or **Delete** to modify the token. For **Inactive**
tokens, you can only select **Delete**.

Expand Down