Various cloud providers include their own container registries. For example, AWS has ECR, Azure has ACR, and GCP has GCR.

For these container registries, it's possible for hosts running in those clouds to obtain credentials to access these registries using a credential provider. This is basically some tiny amount of code that requests a pull secret from the cloud API. This is a well-established pattern in Kubernetes. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/. And here is for example the OCP code for AWS+ECR: https://github.com/openshift/cloud-provider-aws/tree/master/cmd/ecr-credential-provider.

But of course, this feature is useful outside of k8s too. Anyone using podman in e.g. RHEL or Fedora instances in those clouds should ideally be able to get secrets for the integrated registry without too much work.

This is an RFE to add this support for podman for at least AWS (but ideally Azure and GCP as well). It doesn't need to be enabled by default, but it should be relatively painless for users to turn it on as needed. Worth noting there's an API that exists for Docker to do this already which would make sense to be compatible with. Here's for example the AWS Docker credential helper: https://github.com/awslabs/amazon-ecr-credential-helper.

Having this in RHEL will actually help OCP as well since we'd be able to use that in our RHEL-only bootimages to bootstrap OCP nodes in scenarios where we don't want the node to pull any container images at all from outside the cloud registry (as can happen with ROSA).