diff --git a/_data/toc.yaml b/_data/toc.yaml index 403219d748..dc8270821e 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1336,6 +1336,8 @@ manuals: title: Docker ID accounts - path: /docker-hub/repos/ title: Repositories + - path: /docker-hub/service-accounts/ + title: Service accounts - path: /docker-hub/official_images/ title: Official images - sectiontitle: Automated builds diff --git a/docker-hub/repos.md b/docker-hub/repos.md index 920e6990f9..1b918c3cb0 100644 --- a/docker-hub/repos.md +++ b/docker-hub/repos.md @@ -195,33 +195,3 @@ You now have an image from which you can run containers. Your repositories can be starred and you can star repositories in return. Stars are a way to show that you like a repository. They are also an easy way of bookmarking your favorites. - -## Service accounts - -A service account is a Docker ID used by a bot for automating the build pipeline -for containerized applications. Service accounts are typically used in automated -workflows, and do not share Docker IDs with the members in the Team plan. - -To create a new service account for your Team account: - -1. Create a new Docker ID. -2. Create a [team](orgs.md#create-a-team) in your organization and grant it read-only access to your private repositories. -3. Add the new Docker ID to your [organization](orgs.md#working-with-organizations). -4. Add the new Docker ID to the [team](orgs.md#add-a-member-to-a-team) you created earlier. -5. Create a new [personal access token (PAT)](/access-tokens.md) from the user account and use it for CI. - -To create a new service account for your Pro account: - -1. Create a new Docker ID. -2. Click **Repositories** from the main menu. -3. Select a repository from the list and go to the **Collaborators** tab. -4. Add the new Docker ID as a collaborator. -5. Create a new [personal access token (PAT)](/access-tokens.md) from the user account and use it for CI. - -If you want a read-only PAT just for your open source repos, or to access -official images and other public images, you do not have to grant any access permissions to the new Docker ID. - -> **Note** -> -> Service accounts are still subject to Docker's fair pull limit policy. -> To learn more about these limits, see our [Resource Consumption Updates FAQ](https://www.docker.com/pricing/resource-consumption-updates){:target="_blank" rel="noopener" class="_"}. diff --git a/docker-hub/service-accounts.md b/docker-hub/service-accounts.md new file mode 100644 index 0000000000..a983bb9119 --- /dev/null +++ b/docker-hub/service-accounts.md @@ -0,0 +1,54 @@ +--- +description: Docker Service accounts +keywords: Docker, service, accounts, Docker Hub +title: Service accounts +--- + +A service account is a Docker ID used for automated management of container images or containerized applications. Service accounts are typically used in automated workflows, and do not share Docker IDs with the members in the Team plan. Common use cases for service accounts include mirroring content on Docker Hub, or tying in image pulls from your CI/CD process. + +> **Note** +> +> Service accounts included with the Team plan are limited to 15,000 pulls per day. If you require a higher number of pulls, you can purchase an Enhanced Service Account add-on. + +## Enhanced Service Account add-on pricing + +Refer to the following table for details on the Enhanced Service Account add-on pricing: + +| Tier | Pull Rates Per Day* | Annual Fee | +| ------ | ------ | ------ | +| 1 | 15-50k | $9,950/yr | +| 2 | 50-150k | $17,950/yr | +| 3 | 150k-500k | $60,000/yr | +| 4 | 500k+ | Tier 4+ $60k/yr/500k Pull increment | + +*Once the initial Tier is established, that is the minimum fee for the year. Annual commitment required. The service account may exceed Pulls by up to 25% for up to 20 days during the year without incurring additional fees. Reports on consumption will be provided upon request. At the end of the initial 1-year term, the appropriate Tier will be established for the following year. + +## How a pull is defined + +- A pull request is defined as up to two `GET` requests on registry manifest URLs (`/v2/*/manifests/*`). +- A normal image pull makes a single manifest request. +- A pull request for a multi-arch image makes two manifest requests. +- `HEAD` requests are not counted. +- Limits are applied based on the user doing the pull, and not based on the image being pulled or its owner. + +## Creating a new service account + +To create a new service account for your Team account: + +1. Create a new Docker ID. +2. Create a [team](orgs.md#create-a-team) in your organization and grant it read-only access to your private repositories. +3. Add the new Docker ID to your [organization](orgs.md#working-with-organizations). +4. Add the new Docker ID to the [team](orgs.md#add-a-member-to-a-team) you created earlier. +5. Create a new [personal access token (PAT)](/access-tokens.md) from the user account and use it for CI. + +> **Note** +> +> If you want a read-only PAT just for your open-source repos, or to access +official images and other public images, you do not have to grant any access permissions to the new Docker ID. + +## Additional information + +Refer to the following topics for additional information: + +- [Mirroring Docker Hub](../registry/recipes/mirror.md) +- [Resource Consumption Updates FAQ](https://www.docker.com/pricing/resource-consumption-updates){:target="_blank" rel="noopener" class="_"}