Credential Storage Mechanisms - docker/docker-credential-helpers

The docker-credential-helpers project (https://github.com/docker/docker-credential-helpers) provides different helper programs that leverage native OS features to securely store Docker credentials. This mechanism is more secure than storing credentials in the Docker configuration file.

The following credential storage mechanisms are available:

1. osxkeychain (for macOS): This helper uses the native macOS Keychain to store and manage Docker credentials. To use it, specify "osxkeychain" as the value of the credsStore property in the $HOME/.docker/config.json file.

Example:

{
"credsStore": "osxkeychain"
}

2. wincred (for Windows): This helper uses the Windows Credential Manager to store and manage Docker credentials. To use it, install the wincred binary into a directory in your $PATH and set "wincred" as the value of the credStore property in the ~/.docker/config.json file.

Example:

{
"auths": {},
"credStore": "wincred"
}

3. secretservice (for Linux): This helper uses the native Secret Service API (D-Bus) to store and manage Docker credentials. To use it, ensure that the golang.org/x/sys package is available and that the secret-tool command is installed on your system.

4. pass (for Linux): This helper uses the pass password manager to store and manage Docker credentials. To use it, install the pass binary into a directory in your $PATH and set "pass" as the value of the credStore property in the ~/.docker/config.json file.

Example:

{
"auths": {},
"credStore": "pass"
}

5. docker-credential-helpers/client (generic): This is a Go client library for interacting with credential helpers. It provides a unified interface for all credential helpers.

6. docker-credential-osxkeychain, docker-credential-secretservice, docker-credential-pass, and docker-credential-wincred are platform-specific implementations of the credential helper interface.

To use a custom credential helper, you can specify it in the credHelpers property of the $HOME/.docker/config.json file. The key specifies the registry domain, and the value specifies the suffix of the program to use (i.e., everything after docker-credential-).

Example:

{
"credHelpers" :   {
"registry.example.com" :   "registryhelper" ,
"awesomereg.example.org" :   "hip-star" ,
"unicorn.example.io" :   "vcbait"
}
}

Sources:

• https://docs.docker.com/engine/reference/commandline/login
• https://docs.docker.com/engine/reference/commandline/cli
• https://docs.docker.com/desktop/release-notes
• https://openpolicycontainers.com/docs/cli/login
• https://developer.hashicorp.com/nomad/docs/drivers/docker
• https://notaryproject.dev/docs/user-guides/how-to/registry-authentication
• https://prometheus.io/docs/operating/configuration
• https://prometheus.io/docs/prometheus/latest/configuration/configuration
• https://oras.land/docs/how_to_guides/authentication