finch icon indicating copy to clipboard operation
finch copied to clipboard

Published 20 hours ago verified publisher icon runfinch

Still authenticated after removing `creds_helpers` from Finch VM configuration

Open ginglis13 opened this issue 1 year ago • 2 comments

Follow up from #462 https://github.com/runfinch/finch/pull/462#issuecomment-1636448456, non-blocking for releasing the ECR credential helper integration with Finch.

Describe the bug Unexpected behavior in successfully pulling an image from a private ECR repo after removing ecr-login credential helper from Finch configuration.

I no longer have Finch configured with a credsStore in ~/.finch/finch.yaml, but I am still able to auth, push and pull with Finch. This is because ~/.finch/config.json still contains the "credsStore":"ecr-login" entry between inits/removals of VMs. Finch should set/remove this entry automatically by cross referencing ~/.finch/finch.yaml and ~/.finch/config.json on VM initialization.

Steps to reproduce

  1. Stop and remove any existing Finch VM: finch vm stop && finch vm remove
  2. Configreecr-login credential helper in finch.yaml:
creds_helpers: 
  - ecr-login
  1. finch vm init
  2. Pull some image from a private ECR repository
  3. Stop and remove the Finch VM: finch vm stop && finch vm remove
  4. Remove creds_helpers,ecr-login from finch.yaml
  5. finch vm init
  6. Successuly pull image from private ECR repository

Expected behavior

finch vm init cross references finch.yaml with the credential config in ~/.finch/config.json

Screenshots or logs n/a

Additional context n/a

ginglis13 avatar Jul 17 '23 23:07 ginglis13

I have also recently stumbled across this too. I was slightly confused if the user should be configuring the ~/.finch/config.json file themselves or if Finch should own it for them when a cred_helper is set?

The 2 scenarios I hit:

  1. I had the ecr-login configured as a cred_helper, I then deleted the ~/.finch/config.json (to start from scratch as I had a few other entries in there), did a finch vm stop and a finch vm start and I was expecting the config.json to be recreated, it was not.

  2. I'm also not sure what the first time user experience should be. If a user is setting the cred_helper themselves for the first time, will Finch populate the existing but empty ~/.finch/config.json file? In my testing that is not the case and I had to populate it. So therefore should we document that users need to populate this file?

ollypom avatar Oct 25 '23 12:10 ollypom

Hi, Team I will work on this issue and will assign it to me.

haytok avatar May 14 '24 14:05 haytok