I have the following warning when I log in to my registry during a continuous integration (CI) process:
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Should I just replace --password with --password-stdin?
Add a comment
|
7 Answers
According to docker documentation:
To run the docker login command non-interactively, you can set the
--password-stdinflag to provide a password through STDIN. Using STDIN prevents the password from ending up in the shell’s history, or log-files.
The following examples read a password from a file, and passes it to the docker login command using STDIN:
$ cat ~/my_password.txt | docker login --username foo --password-stdin
or
$ docker login --username foo --password-stdin < ~/my_password
The following example reads a password from a variable, and passes it to the docker login command using STDIN:
$ echo "$MY_PASSWORD" | docker login --username foo --password-stdin
16 Comments
Dimitri Kopriwa
Thanks a lot for the example. Now another question, why would
--password would end up in shell history or log files? We use a CI process for release our docker image so there is no history and I can't see anything in the log after doing the command.
FelicianoTech
It's assuming you typed it yourself, not a CI environment.
nickgryg
@Thomas
command < FILENAME expression means Accept input from a file. You cannot use it for a variable.
Dobes Vandermeer
The echo avoids the warning message but not the security issue docker is trying to warn you about. You'll still have the password available in the process listing and potentially bash history.
vmallet
If MY_USERNAME and MY_PASSWORD are env variables, then this won't leave crumbs all over your history:
env | grep "^MY_PASSWORD=" | cut -d= -f2 | docker login -u "$MY_USERNAME" --password-stdin |
The same echo command on a Windows-based system (or when running in an Azure Pipelines task based on vs2017-win2016) does also output an additional newline.
A workaround is to use set /p. See also this question + answer.
The full command will be like:
echo | set /p="my_password" | docker login --username foo --password-stdin
1 Comment
M.A.Naseer
Pleae note the username is not same as your email address. Check your profile on Docker Hub and provide the username specified there.
Setup in github actions:
echo ${{ secrets.DOCKER_TOKEN }} | docker login --username ${{ secrets.DOCKER_USERNAME }} --password-stdin
2 Comments
Max Power
Still gives
WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.
Jhonny Ramirez Zeballos
At the end add "docker logout" in your github actions to delete the password of config.json
Windows 10 solution using powershell:
Use Notepad to create a one line text file with your password. The file was named "password1.txt" for the command line below to work.
Save this file in the folder you are using in powershell (...typically C:\Users\Your_Username ).
Get-Content password1.txt | docker login --username my_username --password-stdin
Refer: Redirecting standard input\output in Windows PowerShell
Comments
And with Windows batch (if not using PowerShell) :
type password.txt | docker login --username foo --password-stdin
Comments
For AWS CLI users receiving this warning when logging in to ECR, the recommended authentication mechanism received an update (since version 1.17.10) to include a command to address this warning.
Before:
$(aws ecr get-login --no-include-email)
After:
aws ecr get-login-password | docker login --username AWS --password-stdin $AWS_REGISTRY_URL
Comments
This is a warning one commonly gets using AWS. If this is the case, another solution to the problem could be not explicitly running the command so that it gets stored in the history. To do this, one could use (with aws2)
eval $(aws2 ecr get-login --no-include-email)
Even though you will still see the warning, the explicit docker command containing the key/password is not stored in the bash history. If unconvinced, try running the history command to see for yourself.
3 Comments
CoatedMoose
This still outputs the same warning. Additionally, if you've run
set -v or set -x (useful for debugging), the entire command being evald will be output. This results in the token/password used saved in your logs.
mapto
@CoatedMoose, I'd avoid
-v or -x in production setups in general.CoatedMoose
In general, sure. In particular, I ran into this issue in a deployment script. IMO, perfectly reasonable to output progress throughout a deployment script to track which part of a deployment script is in-progress/hung/failing.
