.docker/config.json auths secrets
Before we start, backup ~/.docker/config.json and export DOCKER_CONFIG=~/.docker.
We will be using sh.
We should now have an empty $DOCKER_CONFIG/config.json.
If you are on Mac OS X like me, after we issue some docker login command we should be able to spot a credsStore attribute in our docker config.json:
"credsStore": "desktop"
or even
"credsStore": "osxkeychain"
Let's make sure we remove that attribute. docker login will now warn us that the authorizations values will be stored unencrypted:
WARNING! Your password will be stored unencrypted in ~/.docker/config.json.
For example if we issue a docker login ... with a service account on google cloud
docker login -u _json_key --password-stdin https://europe-west1-docker.pkg.dev < ~/.gcp/sa-secret.json
We would also spot auths attribute with a base64 encoded string value.
{
"auths": {
"europe-west1-docker.pkg.dev": {
"auth": "BASE64ENCODEDxxxx",
//...
}
We can use docker-credential-helpers from docker credentials release
to retrieve that "auth" value.
For example with docker-credential-osxkeychain release:
echo europe-west1-docker.pkg.dev | docker-credential-osxkeychain get
{
"ServerURL": "europe-west1-docker.pkg.dev",
"Username": "_json_key",
"Secret": {
// ...
}
}
We would finally find that in $DOCKER_CONFIG/config.json the base64 encoded value is nothing else than
_json_key:{
// ... value retrieved from docker-credential-oskeychain
}
But not that this is not rigorous JSON where we would had "_json_key":{}.
I haven't gone further but let's take it further if we find the right time.
Let's hope this gave you some ideas regarding your daily or uncommon routines. Let us know if you found that useful ;-)
See also
Docker credentials store
IAM Predefined roles
Kind Private Registries
StackOverflow "How to get value from docker-credential-osxkeychain"
Top comments (0)