Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Masking Docker Credentials in Amazon ECR Login Action #526

Open
yyichenn opened this issue Sep 27, 2023 · 5 comments
Open

Masking Docker Credentials in Amazon ECR Login Action #526

yyichenn opened this issue Sep 27, 2023 · 5 comments

Comments

@yyichenn
Copy link
Contributor

Background

The Amazon ECR Login GitHub Action allows users to login to their ECR Private or Public registry in a GitHub Actions workflow. The action is used in parallel with the configure-aws-credentials action in order to allow the login action to use the AWS CLI. It retrieves an auth token by calling ECR’s GetAuthorizationToken API and passes the token into a docker login command to enable pushing and pulling from ECR repositories in subsequent steps. This token is valid for 12 hours, and can only be used for ECR actions required for push and pull. The Docker credentials retrieved from the token are set as outputs, so customers can use them in other jobs in their workflow.

Issue

These Docker credentials are printed in the action logs if the workflow execution has debug logging enabled. This means that,

  • In public repositories, anyone who is logged in with a GitHub account can see the Docker credentials in the repository’s action logs.

  • In private repositories, anyone with read-access to the repository can see the Docker credentials in the repository’s action logs.

Solution

We added a parameter to begin allowing users to mask Docker credentials in their workflow as part of v1.7.0. However, the default behavior, as of v1.7.0, is to not mask the credentials. In order to adhere to security best practices, we have released a new major version of the action, v2, that masks the Docker credentials by default. This is a breaking change, and customers relying on these credentials being available in subsequent jobs will need to explicitly configure their action to not mask credentials.

For more information on how to migrate, please see https://github.com/aws-actions/amazon-ecr-login#new-v2-release.

@bengotow
Copy link

Hey gang, I see that the README and this issue request that I upgrade to aws-actions/amazon-ecr-login@v2, but trying to use that version in a github action results in this error:

Error: Unable to resolve action `aws-actions/amazon-ecr-login@v2`, unable to find version `v2`

Maybe the v2 update has not actually been published yet?

image

@yyichenn
Copy link
Contributor Author

Hi , and thanks for reaching out.

v2 has not been released yet and the scheduled release date is October 02, 2023, PST. We apologize for any confusion.

@tmpfs
Copy link

tmpfs commented Oct 1, 2023

@yyichenn, I just hit this. Would have been better to update the readme after the release tag has been pushed. Seems strange to document an unreleased release.

@arjraman
Copy link
Contributor

arjraman commented Oct 2, 2023

v2 version has now been released.

@ecr-cicd-bot ecr-cicd-bot pinned this issue Oct 2, 2023
omad added a commit to GeoscienceAustralia/dea-notebooks that referenced this issue Dec 4, 2023
@samarthgowda96
Copy link

samarthgowda96 commented Sep 3, 2024

 Run aws-actions/amazon-ecr-login@v2
  with:
    mask-password:  "true"
    registry-type: private
    skip-logout: false
  env:
    AWS_ACCESS_KEY_ID: You are printing meeeee; just mask me pls 
How do i mask the  secrets; i don't want them to appear in the logs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants