OCI Registry Integrations

Some of OpenTofu's features can be configured to interact with OCI Registries.

These integrations are designed to support registries that implement OCI Distribution v1.1.0. Registries that implement earlier versions may work, depending on how strictly they validate submitted manifests, but we cannot officially support them because v1.1.0 is the first protocol version that includes explicit support for non-container-image artifacts.

OCI Registry Credentials​

By default, OpenTofu searches for OCI Registry credentials in the same locations as other tools in the OCI ecosystem, such as Docker CLI, Podman, Buildah, ORAS, etc. If you have already logged in to the registry you intend to use with the login facility from one of these programs then OpenTofu should discover and use the configured credentials automatically.

If you need more control over the behavior, refer to OCI Registry Credentials.

OpenTofu Modules in OCI Registries​

OpenTofu supports OCI Registries as one of its many supported module source address types.

No special configuration is required to enable this source address type aside from ensuring that you have configured whatever credentials are needed to communicate with the specified remote repository.

For more information on how to create suitable artifacts for use as OpenTofu module packages, refer to Module Packages in OCI Registries.

OpenTofu Providers in OCI Registries​

OpenTofu supports OCI Registries as a secondary installation source for provider plugin packages. You can configure OpenTofu to retrieve some or all providers from an OCI Registry instead of from each provider's primary OpenTofu Provider Registry.

For more information, refer to Provider Mirrors in OCI Registries.

OpenTofu does not yet support using an OCI Registry as the primary installation source for a provider, but we are hoping to allow that in a future version.