Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Masking Docker Credentials in Amazon ECR Login Action #526

Open
yyichenn opened this issue Sep 27, 2023 · 4 comments
Open

Masking Docker Credentials in Amazon ECR Login Action #526

yyichenn opened this issue Sep 27, 2023 · 4 comments

Comments

@yyichenn
Copy link
Contributor

Background

The Amazon ECR Login GitHub Action allows users to login to their ECR Private or Public registry in a GitHub Actions workflow. The action is used in parallel with the configure-aws-credentials action in order to allow the login action to use the AWS CLI. It retrieves an auth token by calling ECR’s GetAuthorizationToken API and passes the token into a docker login command to enable pushing and pulling from ECR repositories in subsequent steps. This token is valid for 12 hours, and can only be used for ECR actions required for push and pull. The Docker credentials retrieved from the token are set as outputs, so customers can use them in other jobs in their workflow.

Issue

These Docker credentials are printed in the action logs if the workflow execution has debug logging enabled. This means that,

  • In public repositories, anyone who is logged in with a GitHub account can see the Docker credentials in the repository’s action logs.

  • In private repositories, anyone with read-access to the repository can see the Docker credentials in the repository’s action logs.

Solution

We added a parameter to begin allowing users to mask Docker credentials in their workflow as part of v1.7.0. However, the default behavior, as of v1.7.0, is to not mask the credentials. In order to adhere to security best practices, we have released a new major version of the action, v2, that masks the Docker credentials by default. This is a breaking change, and customers relying on these credentials being available in subsequent jobs will need to explicitly configure their action to not mask credentials.

For more information on how to migrate, please see https://github.com/aws-actions/amazon-ecr-login#new-v2-release.
@arjraman arjraman added the good-first-issue Good for newcomers label Sep 27, 2023
@yyichenn yyichenn mentioned this issue Sep 28, 2023
Closed
@arjraman arjraman removed the good-first-issue Good for newcomers label Sep 28, 2023
@bengotow
Copy link

Hey gang, I see that the README and this issue request that I upgrade to aws-actions/amazon-ecr-login@v2, but trying to use that version in a github action results in this error:

Error: Unable to resolve action `aws-actions/amazon-ecr-login@v2`, unable to find version `v2`

Maybe the v2 update has not actually been published yet?

image

@yyichenn
Copy link
Contributor Author

Hi , and thanks for reaching out.

v2 has not been released yet and the scheduled release date is October 02, 2023, PST. We apologize for any confusion.

@tmpfs
Copy link

tmpfs commented Oct 1, 2023

@yyichenn, I just hit this. Would have been better to update the readme after the release tag has been pushed. Seems strange to document an unreleased release.

@arjraman
Copy link
Contributor

arjraman commented Oct 2, 2023

v2 version has now been released.

@ecr-cicd-bot ecr-cicd-bot pinned this issue Oct 2, 2023
omad added a commit to GeoscienceAustralia/dea-notebooks that referenced this issue Dec 4, 2023
@omad
[ci] Bump AWS ECR Login Action to now mask creds
525cc2a 
Now use v2, which masks creds by default.
See aws-actions/amazon-ecr-login#526
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tmpfs @bengotow @arjraman @yyichenn