diff --git a/inventory/sample/group_vars/all/cri-o.yml b/inventory/sample/group_vars/all/cri-o.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3e6e4eebb31d3ab4169de0c9fffdc57d60096985
--- /dev/null
+++ b/inventory/sample/group_vars/all/cri-o.yml
@@ -0,0 +1,6 @@
+# crio_insecure_registries:
+#   - 10.0.0.2:5000
+# crio_registry_auth:
+#   - registry: 10.0.0.2:5000
+#     username: user
+#     password: pass
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index bc9092fd7dc06b46190291a176776797f2c81a1f..5f53aa6f9809500017bfa6238d37cf20c6bb94eb 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -14,6 +14,12 @@ crio_registries: []
 # Configure insecure registries.
 crio_insecure_registries: []
 
+# Configure registry auth (if applicable to secure/insecure registries)
+crio_registry_auth: []
+#  - registry: 10.0.0.2:5000
+#    username: user
+#    password: pass
+
 # Define registiries mirror
 
 crio_registries_mirrors: []
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index d22d1dc321976764794bfbd28b99c092add6b48f..55db2690f749eef279383a2253fc22f6d8820712 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -80,6 +80,12 @@
     mode: 0644
   register: config_install
 
+- name: Install config.json
+  template:
+    src: config.json.j2
+    dest: /etc/crio/config.json
+  register: reg_auth_install
+
 - name: Add skopeo pkg to install
   set_fact:
     crio_packages: "{{ crio_packages + skopeo_packages }}"
@@ -198,6 +204,7 @@
     state: restarted
   when:
     - config_install.changed
+    - reg_auth_install.changed
     - not package_install.changed
     - not service_start.changed
 
diff --git a/roles/container-engine/cri-o/templates/config.json.j2 b/roles/container-engine/cri-o/templates/config.json.j2
new file mode 100644
index 0000000000000000000000000000000000000000..522ade7a4fe677d45b47aa035d26298860131e2f
--- /dev/null
+++ b/roles/container-engine/cri-o/templates/config.json.j2
@@ -0,0 +1,17 @@
+{% if crio_registry_auth is defined and crio_registry_auth|length %}
+{ 
+{% for reg in crio_registry_auth %}
+  "auths": {
+    "{{ reg.registry }}": {
+      "auth": "{{ (reg.username + ':' + reg.password) | string | b64encode }}"
+    }
+{% if not loop.last %}
+  },
+{% else %}
+  }
+{% endif %}
+{% endfor %}
+}
+{% else %}
+{}
+{% endif %}
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index cdc7363ac0496a53aae8e66611eb237cb1d47e07..b6f5357dd1dbc33e4973933a77bb91fab305998b 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -313,7 +313,7 @@ default_transport = "docker://"
 
 # The path to a file containing credentials necessary for pulling images from
 # secure registries. The file is similar to that of /var/lib/kubelet/config.json
-global_auth_file = ""
+global_auth_file = "/etc/crio/config.json"
 
 # The image used to instantiate infra containers.
 # This option supports live configuration reload.