DEV Community

Malik Benkirane
Malik Benkirane

Posted on

docker config auths reverse engineering

.docker/config.json auths secrets

Before we start, backup ~/.docker/config.json and export DOCKER_CONFIG=~/.docker.

We will be using sh.

We should now have an empty $DOCKER_CONFIG/config.json.

If you are on Mac OS X like me, after we issue some docker login command we should be able to spot a credsStore attribute in our docker config.json:

        "credsStore": "desktop"
Enter fullscreen mode Exit fullscreen mode

or even

        "credsStore": "osxkeychain"
Enter fullscreen mode Exit fullscreen mode

Let's make sure we remove that attribute. docker login will now warn us that the authorizations values will be stored unencrypted:

WARNING! Your password will be stored unencrypted in ~/.docker/config.json.
Enter fullscreen mode Exit fullscreen mode

For example if we issue a docker login ... with a service account on google cloud

docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev  < ~/.gcp/sa-secret.json
Enter fullscreen mode Exit fullscreen mode

We would also spot auths attribute with a base64 encoded string value.

{
        "auths": {
                "europe-west1-docker.pkg.dev": {
                        "auth": "BASE64ENCODEDxxxx",
        //...
}
Enter fullscreen mode Exit fullscreen mode

We can use docker-credential-helpers from docker credentials release
to retrieve that "auth" value.

For example with docker-credential-osxkeychain release:

echo europe-west1-docker.pkg.dev | docker-credential-osxkeychain get
Enter fullscreen mode Exit fullscreen mode
{
  "ServerURL": "europe-west1-docker.pkg.dev",
  "Username": "_json_key",
  "Secret": {
    // ...
  }
}
Enter fullscreen mode Exit fullscreen mode

We would finally find that in $DOCKER_CONFIG/config.json the base64 encoded value is nothing else than

_json_key:{
   // ... value retrieved from docker-credential-oskeychain
}
Enter fullscreen mode Exit fullscreen mode

But not that this is not rigorous JSON where we would had "_json_key":{}.

I haven't gone further but let's take it further if we find the right time.

Let's hope this gave you some ideas regarding your daily or uncommon routines. Let us know if you found that useful ;-)

See also

Docker credentials store
IAM Predefined roles
Kind Private Registries
StackOverflow "How to get value from docker-credential-osxkeychain"

Top comments (0)