Source: https://crabglamp.com/docs/app-vms/how-to/deploy-a-private-image
Last updated: 2026-06-12
Type: how-to

## Save a registry credential

1. Open **Registry credentials** in the dashboard sidebar.
2. Enter the registry host (for example `ghcr.io`), a username, and an access token, then select **Add credential**.
3. CrabGlamp verifies the credential against the registry before saving it. A rejected token fails with an explanation.

Credentials belong to your account: any App VM can use them, and updating one updates every App that references it on its next deploy.

### Token requirements by registry

| Registry | Username | Secret |
|---|---|---|
| Docker Hub (`docker.io`) | Your Docker ID | Password or access token |
| GitHub (`ghcr.io`) | Your GitHub username | Personal access token with `read:packages` |
| GitLab (`registry.gitlab.com`) | Your GitLab username | Personal access token with `read_registry` |
| Google Artifact Registry | `_json_key` | A service-account JSON key with the Artifact Registry Reader role |
| Amazon ECR | `AWS` | Output of `aws ecr get-login-password` — expires every 12 hours; update the credential on the Registry credentials page to refresh |

## Create the App VM

1. Select **Create App VM** and enter your private image reference.
2. Choose the credential under **Registry credential**, or add one inline.
3. Submit. CrabGlamp checks that the image is reachable with that credential — a mistyped reference, a rejected token, or an image without a `linux/amd64` variant fails immediately with a specific message instead of creating a broken App.

The first start authenticates with your credential. No redeploy step is needed.

> **Note on image verification:** The pre-create check works by fetching the image manifest. For multi-platform images (manifest lists), CrabGlamp can confirm `linux/amd64` is present. For single-platform images, the platform is not visible in the manifest alone — if an incompatible single-platform image is deployed, the failure appears as a failed first deploy rather than a creation error.

## Change or remove a credential

- To point an App at a different credential, use the **Configuration** card on the App's detail page and save — the App redeploys with the new credential.
- A credential that is still referenced by an App cannot be deleted; reassign those Apps first.

## If a pull fails after creation

A revoked or expired token surfaces as a failed deploy with the registry's error. Update the credential under **Registry credentials**, then redeploy from the App's detail page.