Docker: Using --password via the CLI is insecure. Use --password-stdin

Question

I have the following warning when I log in to my registry during a continuous integration (CI) process:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.

Should I just replace --password with --password-stdin?

nickgryg · Accepted Answer · 2018-11-04T11:52:36.577

234

According to docker documentation:

To run the docker login command non-interactively, you can set the --password-stdin flag to provide a password through STDIN. Using STDIN prevents the password from ending up in the shell’s history, or log-files.

The following examples read a password from a file, and passes it to the docker login command using STDIN:

$ cat ~/my_password.txt | docker login --username foo --password-stdin

or

$ docker login --username foo --password-stdin < ~/my_password

The following example reads a password from a variable, and passes it to the docker login command using STDIN:

$ echo "$MY_PASSWORD" | docker login --username foo --password-stdin

edited Nov 04 '18 at 11:52

answered Jul 25 '18 at 11:54

nickgryg

25,567
5
77
79

3

Thanks a lot for the example. Now another question, why would `--password` would end up in shell history or log files? We use a CI process for release our docker image so there is no history and I can't see anything in the log after doing the command. – Dimitri Kopriwa Jul 26 '18 at 12:28
1

It's assuming you typed it yourself, not a CI environment. – FelicianoTech Sep 15 '18 at 19:28
why wouldn't this work? (it doesn't, but I don't understand why since I'm not very good with bash): docker login --username foo --password-stdin < "$MY_PASSWORD" – Thomas Oct 30 '18 at 23:25
2

@Thomas `command < FILENAME` expression means `Accept input from a file`. You cannot use it for a variable. – nickgryg Nov 04 '18 at 11:50
18

The echo avoids the warning message but not the security issue docker is trying to warn you about. You'll still have the password available in the process listing and potentially bash history. – Dobes Vandermeer Dec 26 '19 at 21:30
`echo` in bash does not really run the command but it is directly passed in. – Mitar Jun 15 '20 at 07:47
Another pro tip is that prefixing your command with a space usually leaves the command out of history. – lindhe Aug 17 '20 at 12:30
@DimitriKopriwa When command is run in shell its history is stored, we can see the latest commands we ran by using arrow up key,, so there is a chance that pwd will be visible. But if we pass the password using stdin we won't be typing pwd rather passing it to the linked command via pipe or some other operator. So if we do key up we won't see pwd at all. – GPuri Feb 07 '21 at 10:16
To work with AWS: `aws ecr get-login-password | docker login --username AWS --password-stdin REPO_URI` – B Seven Jan 04 '22 at 21:36
echo "$MY_PASSWORD" | docker login --username foo --password-stdin Not working in @gitlab ci – Job M Apr 17 '22 at 14:03
3

If MY_USERNAME and MY_PASSWORD are env variables, then this won't leave crumbs all over your history: `env | grep "^MY_PASSWORD=" | cut -d= -f2 | docker login -u "$MY_USERNAME" --password-stdin` – vmallet Dec 07 '22 at 22:41
@vmallet That's clever. Small caveat that `cut` will split on every occurrence of the delimiter so you might want `cut -d= -f2-` to include all fields after the first occurrence if your password includes another `=`. – RiverHeart Mar 10 '23 at 19:39

score 17 · Answer 2 · answered Jan 12 '19 at 17:47

17

The same echo command on a Windows based system (or when running in an Azure Pipelines task based on vs2017-win2016) does also output an additional newline.

A workaround for this to use set /p, see also question + answer.

The full command will be like:
echo | set /p="my_password" | docker login --username foo --password-stdin

answered Jan 12 '19 at 17:47

Stef Heyenrath

9,335
12
66
121

Pleae note the username is not same as your email address. Check your profile on Docker Hub and provide the username specified there. – M.A.Naseer Jul 16 '19 at 19:18

score 4 · Answer 3 · answered Jul 13 '21 at 00:28

Windows 10 solution using powershell:

Use Notepad to create a one line text file with your password. The file was named "password1.txt" for the command line below to work.
Save this file in the folder you are using in powershell (...typically C:\Users\Your_Username ).

Get-Content password1.txt | docker login --username my_username --password-stdin

Refer: Redirecting standard input\output in Windows PowerShell

score 3 · Answer 4 · answered Aug 23 '21 at 00:00

3

Setup in github actions:

echo ${{ secrets.DOCKER_TOKEN }} | docker login --username ${{ secrets.DOCKER_USERNAME }} --password-stdin

answered Aug 23 '21 at 00:00

Jhonny Ramirez Zeballos

2,323
16
16

Still gives `WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.` – Max Power Sep 09 '21 at 13:49
2

At the end add "docker logout" in your github actions to delete the password of config.json – Jhonny Ramirez Zeballos Sep 09 '21 at 20:48

score 1 · Answer 5 · answered Jan 09 '20 at 10:04

1

This is a warning one commonly gets using AWS. If this is the case, another solution to the problem could be not explicitly running the command so that it gets stored in the history. To do this, one could use (with aws2)

eval $(aws2 ecr get-login --no-include-email)

Even though you will still see the warning, the explicit docker command containing the key/password is not stored in the bash history. If unconvinced, try running the history command to see for yourself.

answered Jan 09 '20 at 10:04

mapto

605
9
23

1

This still outputs the same warning. Additionally, if you've run `set -v` or `set -x` (useful for debugging), the entire command being `eval`d will be output. This results in the token/password used saved in your logs. – CoatedMoose Aug 11 '23 at 17:22
@CoatedMoose, I'd avoid `-v` or `-x` in production setups in general. – mapto Aug 15 '23 at 05:30
1

In general, sure. In particular, I ran into this issue in a deployment script. IMO, perfectly reasonable to output progress throughout a deployment script to track which part of a deployment script is in-progress/hung/failing. – CoatedMoose Aug 15 '23 at 19:26

score 1 · Answer 6 · answered Jul 07 '22 at 14:37

1

And with Windows batch (if not using PowerShell) :

type password.txt | docker login --username foo --password-stdin

answered Jul 07 '22 at 14:37

Jad B.

1,403
15
14

score 0 · Answer 7 · answered Aug 11 '23 at 17:17

For AWS CLI users receiving this warning when logging in to ECR, the recommended authentication mechanism received an update (since version 1.17.10) to include a command to address this warning.

Before:

$(aws ecr get-login --no-include-email)

After:

aws ecr get-login-password | docker login --username AWS --password-stdin $AWS_REGISTRY_URL

Docker: Using --password via the CLI is insecure. Use --password-stdin

7 Answers7

Linked