docker-credential-helpers
docker-credential-helpers copied to clipboard
docker
I need plain text credentials in my config.json, how do I disable this if it is enabled?
On windows it defaults to using this provider so when I run docker login sensitive info isn't saved to the config.json. This is good but I need to disable it, I need these creds to be plain text to support a specific service.
This is very frustrating because I can't find any info on how to disable wincred (or even uninstall it). There has to be a way to turn it off temporarily so I can generate a config.json with my creds in plain text.
@red8888 Reading https://docs.docker.com/engine/reference/commandline/login/#credentials-store I think explicitely putting an empty value in the credsStore value in ~/.docker/config.json instead of wincred should do the trick 👼
I don't know how one would translate this into a Windows equivalent but LinuxKit calls the credhelper itself to extract the values: https://github.com/linuxkit/linuxkit/blob/master/scripts/push-manifest.sh#L52...L54
If you could replicate that on Windows (In powershell perhaps?) then you could write your own config.json in some tempdir and point your service at that instead of the real one perhaps?
Ok, seems like manually copying wincred into the docker installation folder fixes things. 18.09.2 worked just fine.
Hello guys. I'm having the same issue on ubuntu 18. In credStore there's pass configured and no matter what I do, I can't disable it.
- If I remove
passvalue fromcredStoreand try todocker loginI get error that pass is not initialized - If I delete
.docker/config.json, I got same as 1.
Is there a way to disable this? I want my plain text back again.
Thanks
Also keen to get plain text only credentials. I'm connecting to AWS ECR so the credentials are only valid for a few hours anyway.
If you have WSL enabled you can use wsl docker --config . login to store plain text config.json in current directory.
I just got the auth hash after setting the credsStore value to "" followed by docker login.
The workaround is not working anymore. In the latest version for us Docker is overwriting the value and using wincred again. It has broken our build and release pipelines. There are also many people reporting that in the for-mac repo and as always, so far no reply from Docker guys...
Linked issues (probably way more, especially closed by our hated Docker bot):
- https://github.com/moby/moby/issues/32733
- https://github.com/moby/moby/issues/33252
- https://github.com/moby/moby/issues/26198
- https://github.com/docker/cli/issues/1263
- https://github.com/docker/cli/issues/1219
- https://github.com/docker/for-win/issues/6043
- https://github.com/docker/for-win/issues/2856
- https://github.com/docker/for-win/issues/5020
- https://github.com/docker/for-mac/issues/1584
- https://github.com/docker/for-mac/issues/4100
- https://github.com/docker/for-mac/issues/4192
- Break the unofficial workarounds for:
- https://github.com/docker/for-mac/issues/2295
- https://github.com/docker/docker-credential-helpers/issues/65
- https://github.com/docker/docker-credential-helpers/issues/22
We need an actual value that tells Docker to not use any external credential, just base64 as before. We don't need workarounds of "set it to empty", "remove it from the file" or "delete the binaries from the Docker installation" because after each update the behavior of that "empty / not present" value changes.
It's ok to break things. We are software developers, we do it all the time. But please, just reply to any of the issues. Listen the community, we are taking our work time to investigate and report them. Try to help and stop auto-closing issues because no one from the dev team replied. After reading all of these unanswered issues I am feeling no one cares about the issues we report.
The issue could be here:
https://github.com/docker/cli/blob/b350e14b1f83e1870a234ff2c554450707218204/cli/config/config.go#L143-L144
That it's getting the default storage when the value from the configuration file is empty. The default storage is the one from the platform even when the user specifies empty.
https://github.com/docker/cli/blob/b350e14b1f83e1870a234ff2c554450707218204/cli/config/credentials/default_store.go#L9-L21
and here it creates the "native" credential store instead of the "file" one as we want:
https://github.com/docker/cli/blob/f7185d27e165c50c55c898720fec38b37a751393/cli/config/configfile/file.go#L280
but according to these function, if we set the credHelpers of our repository to empty, it will use the "file" store
https://github.com/docker/cli/blob/f7185d27e165c50c55c898720fec38b37a751393/cli/config/configfile/file.go#L280
~~I have tested that workaround and now it works again!~~ Update: it doesn't work Let's see for how much time since this doesn't seem to be well supported. New config file:
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.8 (windows)"
},
"credsStore": "wincred",
"credHelpers": {
"MY_PRIVATE_REPOSITORY_URL": ""
}
}
The workaround doesn't fully work as Docker decides to wipe out my config file and remove all the credHelpers. I have to create scripts to re-create this config file every time we do a docker push.
We are starting to consider migrating to Podman and Buildah, it's just incredible that we don't get any answer for these bugs reported for several years, with workarounds that need to be changed and investigated in every Docker update....
Docker team, any updates? I have the same problem and no workarounds work...
That's fairly annoying, to be honest. I feel like it's pretty standard to have your CD runner log into your docker registry while headless, and that would fail if target machine has gnome-keyring (rather docker-credential-secretservice) installed. Installing docker-credential-pass is somewhat of a solution in my situation though, unlike OP.
My Workaround
Hiding docker-credential-pass from which / PATH and using separate config for example $PWD/.docker/config.json is required to make both Base64 and pass to work on same host for same user, you will just have to run different commands for each method.
- Do not put
docker-credential-pass. Put it to$PWD/bin/docker-credential-passand update$PATHbefore calling any docker command, for example:PATH=$PWD/bin/docker-credential-pass:$PATH docker login ... - Use custom
config.jsonto store desiredcredsStorestate, for example:PATH=$PWD/bin/docker-credential-pass:$PATH docker login --config $PWD/.docker/ ...
Base64
docker login ...
# Reading $HOME/.docker/config.json
pass
Note that
--configaccepts directory and NOT a filename.
PATH=$PWD/bin/docker-credential-pass:$PATH docker login --config $PWD/.docker/ ...
# Reading $PWD/.docker/config.json
apt remove golang-docker-credential-helpers worked for me
This uninstalls The following packages will be REMOVED: docker-compose golang-docker-credential-helpers python-docker python-dockerpycreds
This means I cannot use docker-compose, but I would rather start my containers with a normal shell script than it popping up GUI based key managers all the time
Running: ubuntu 18.04
$ docker --version
Docker version 20.10.7, build 20.10.7-0ubuntu5~18.04.3
Just encountered this issue on Mac/Monterey with latest Docker desktop 4.5.0(74594). The workaround is:
- remove all docker-credential-* from /Applications/Docker.app/Contents/Resources/bin/
- remove credsStore and auth key from ~/.docker/config.json
- do docker login, if you get this warning, you are good to go:
[2022-02-25 14:18:33] WARNING! Your password will be stored unencrypted in xxx/.docker/config.json.
[2022-02-25 14:18:33] Configure a credential helper to remove this warning. See
[2022-02-25 14:18:33] https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Just encountered this issue on Mac/Monterey with latest Docker desktop 4.5.0(74594). The workaround is:
1. remove all docker-credential-* from /Applications/Docker.app/Contents/Resources/bin/ 2. remove credsStore and auth key from ~/.docker/config.json 3. do docker login, if you get this warning, you are good to go:[2022-02-25 14:18:33] WARNING! Your password will be stored unencrypted in xxx/.docker/config.json. [2022-02-25 14:18:33] Configure a credential helper to remove this warning. See [2022-02-25 14:18:33] https://docs.docker.com/engine/reference/commandline/login/#credentials-store
I tried just temporarily moving them to a new name (they were actually symlinks in /usr/local/bin, renamed the symlinks) and renaming them back after logging in and so far so good.
Here's the solution I came up with - a python script that handles the store, get commands
docker-credential-plaintext.py
#!/usr/bin/env python3
import json
import os
import sys
_data = None
_args = sys.argv # action
_stdin = sys.stdin.read().strip()
_dir = os.environ['DOCKER_CONFIG']
creds_file = f'{_dir}/creds.json'
if os.path.isfile(creds_file):
with open(creds_file, 'r') as f:
_data = f.read()
creds = json.loads(_data) if _data else {}
if _args[1] == 'store':
input = json.loads(_stdin) # ServerURL,Username,Secret:dict
creds[input['ServerURL']] = {
"Username": input['Username'],
"Secret": input['Secret']
}
with open(creds_file, 'w') as f:
json.dump(creds, f, indent=2)
elif _args[1] == 'get':
input = _stdin # ServerURL:str
if input in creds:
print(json.dumps(creds[input]))
Example usage:
cp -f docker-credential-plaintext.py /usr/local/bin/docker-credential-plaintext
chmod +x /usr/local/bin/docker-credential-plaintext
export DOCKER_CONFIG="$(pwd)/.docker"
mkdir -p "$DOCKER_CONFIG"
echo '{"credsStore": "plaintext"}' > "$DOCKER_CONFIG/config.json"
docker --config "$DOCKER_CONFIG" login --username USERNAME --password PASSWORD REPOSITORY
docker push REPOSITORY/IMAGE:TAG
