Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eval aws ecr get-login should provide option to use password-stdin #3687

Closed
kojiromike opened this issue Oct 26, 2018 · 3 comments
Closed

eval aws ecr get-login should provide option to use password-stdin #3687

kojiromike opened this issue Oct 26, 2018 · 3 comments
Assignees
@justnance
Labels
duplicate This issue is a duplicate. feature-request A feature should be added or improved.

Comments

@kojiromike
Copy link

The instructions are pretty clear that aws ecr get-login prints credentials. Since these credentials are designed to be used in an eval context, the password can be observed elsewhere on the machine.

$ eval "$(aws ecr get-login --no-include-email)"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

But recent versions of docker support a more secure approach using --password-stdin. You can use it now, but it's cumbersome:

$ read -sra cmd < <(aws ecr get-login --no-include-email)
$ pass="${cmd[5]}"
$ unset cmd[4] cmd[5]
$ "${cmd[@]}" --password-stdin <<< "$pass"
Login Succeeded

Or as a one-liner if you feel like manually composing the endpoint url:

$ aws ecr get-login --no-include-email | awk '{print $6}' | docker login -u AWS --password-stdin "$endpoint"
Login Succeeded

aws could support clean, secure docker login by providing more machine-parseable output, by providing a docker credentials-helper, or by providing the password separately from the rest of the command as in:

$ aws ecr get-password | eval "$(aws ecr get-login --password-stdin)"
@JordonPhillips JordonPhillips added the feature-request A feature should be added or improved. label Nov 5, 2018
@JordonPhillips
Copy link
Member

The trick, potentially, is windows support, so something like that last bit may be necessary. In any case we should definitely support the stdin password feature.

@gonrial
Copy link

gonrial commented Jul 5, 2019

Duplicated #2875

@justnance justnance self-assigned this Jul 8, 2019
@justnance justnance added the duplicate This issue is a duplicate. label Jul 8, 2019
@justnance
Copy link

@gonrial - Thanks for pointing out this is a duplicated. I'm going to close this issue so we can continue tracking the discussion under #2875.

@rpnguyen rpnguyen mentioned this issue Jan 22, 2020
Closed
matthew-russo pushed a commit to matthew-russo/aws-cli that referenced this issue Jan 24, 2020
adds aws ecr get-login-password customization
a9bbbc0 
as proposed in aws#4867,
and previously discussed in
aws#2875 (comment)
aws#3687 (comment)

this commit adds a new customization command for ECR that only
returns the password to login to a registry. this approach is
composable, is compatible with other container clients, allows
use of functionality like Docker's --password-stdin flag, and
is more resilient to changes in client APIs
matthew-russo pushed a commit to matthew-russo/aws-cli that referenced this issue Jan 24, 2020
adds aws ecr get-login-password customization
1261783 
as proposed in aws#4867,
and previously discussed in
aws#2875 (comment)
aws#3687 (comment)

this commit adds a new customization command for ECR that only
returns the password to login to a registry. this approach is
composable, is compatible with other container clients, allows
use of functionality like Docker's --password-stdin flag, and
is more resilient to changes in client APIs
matthew-russo pushed a commit to matthew-russo/aws-cli that referenced this issue Jan 24, 2020
adds aws ecr get-login-password customization
8969480 
as proposed in aws#4867,
and previously discussed in
aws#2875 (comment)
aws#3687 (comment)

this commit adds a new customization command for ECR that only
returns the password to login to a registry. this approach is
composable, is compatible with other container clients, allows
use of functionality like Docker's --password-stdin flag, and
is more resilient to changes in client APIs
@matthew-russo matthew-russo mentioned this issue Jan 24, 2020
Merged
matthew-russo pushed a commit to matthew-russo/aws-cli that referenced this issue Jan 24, 2020
adds aws ecr get-login-password customization
784906d 
as proposed in aws#4867,
and previously discussed in
aws#2875 (comment)
aws#3687 (comment)

this commit adds a new customization command for ECR that only
returns the password to login to a registry. this approach is
composable, is compatible with other container clients, allows
use of functionality like Docker's --password-stdin flag, and
is more resilient to changes in client APIs
matthew-russo pushed a commit to matthew-russo/aws-cli that referenced this issue Jan 24, 2020
adds aws ecr get-login-password customization
00cfc2c 
as proposed in aws#4867,
and previously discussed in
aws#2875 (comment)
aws#3687 (comment)

this commit adds a new customization command for ECR that only
returns the password to login to a registry. this approach is
composable, is compatible with other container clients, allows
use of functionality like Docker's --password-stdin flag, and
is more resilient to changes in client APIs
@pda pda mentioned this issue Mar 4, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justnance justnance

Labels
duplicate This issue is a duplicate. feature-request A feature should be added or improved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@gonrial @kojiromike @JordonPhillips @justnance