diff --git a/roles/vhosts/accounts_service/defaults/main.yml b/roles/vhosts/accounts_service/defaults/main.yml
index 51da87f..64f60b9 100644
--- a/roles/vhosts/accounts_service/defaults/main.yml
+++ b/roles/vhosts/accounts_service/defaults/main.yml
@@ -2,6 +2,9 @@
 accounts_service_image_ref: "{{ accounts_service_image_repo }}:{{ accounts_service_image_tag }}"
 accounts_service_image_repo: ghcr.io/x-evor/accounts
 accounts_service_image_tag: latest
+accounts_service_registry_server: "{{ lookup('ansible.builtin.env', 'GHCR_REGISTRY') | default('ghcr.io', true) }}"
+accounts_service_registry_username: "{{ lookup('ansible.builtin.env', 'GHCR_USERNAME') | default('', true) }}"
+accounts_service_registry_password: "{{ lookup('ansible.builtin.env', 'GHCR_PASSWORD') | default(lookup('ansible.builtin.env', 'GHCR_TOKEN') | default('', true), true) }}"
 accounts_service_pull_image: true
 accounts_service_container_port: 8080
 accounts_service_base_dir: /opt/cloud-neutral/accounts/managed
diff --git a/roles/vhosts/accounts_service/tasks/main.yml b/roles/vhosts/accounts_service/tasks/main.yml
index 66c4ea7..bf2726d 100644
--- a/roles/vhosts/accounts_service/tasks/main.yml
+++ b/roles/vhosts/accounts_service/tasks/main.yml
@@ -30,6 +30,17 @@
     enabled: true
     state: started
 
+- name: Log into container registry for accounts service
+  ansible.builtin.shell: |
+    set -euo pipefail
+    printf '%s' '{{ accounts_service_registry_password }}' | docker login {{ accounts_service_registry_server }} -u '{{ accounts_service_registry_username }}' --password-stdin
+  args:
+    executable: /bin/bash
+  no_log: true
+  when:
+    - accounts_service_registry_username | length > 0
+    - accounts_service_registry_password | length > 0
+
 - name: Ensure shared Docker network exists for accounts service
   ansible.builtin.command: docker network inspect "{{ accounts_service_shared_network }}"
   changed_when: false