Convert Figma logo to code with AI

docker logodocker-credential-helpers

Programs to keep Docker login credentials safe by storing in platform keystores

1,065
169
1,065
84
View on GitHub

Top Related Projects

99designs's avatar

aws-vault

8,398

A vault for securely storing and accessing AWS credentials in development environments

hashicorp's avatar

vault

31,032

A tool for secrets management, encryption as a service, and privileged access management

bitnami-labs's avatar

sealed-secrets

7,621

A Kubernetes controller and tool for one-way encrypted Secrets

getsops's avatar

sops

16,722

Simple and flexible tool for managing secrets

Quick Overview

Docker Credential Helpers is a suite of programs to store and retrieve Docker credentials from various external credential stores. It provides a standardized way for Docker to interact with different credential management systems, enhancing security by allowing users to store their Docker registry credentials securely outside of Docker's configuration files.

Pros

  • Improves security by storing credentials in system-specific secure storage
  • Supports multiple credential stores (e.g., macOS Keychain, Windows Credential Manager)
  • Easy integration with Docker CLI and Docker Engine
  • Open-source and actively maintained

Cons

  • Limited to specific operating systems and credential stores
  • Requires additional setup and configuration
  • May introduce complexity for users unfamiliar with credential management
  • Potential for compatibility issues with certain Docker versions or configurations

Code Examples

  1. Using the credential helper with Docker CLI:
# Set the credential helper for a specific registry
docker login --username myuser --password-stdin https://example.com
  1. Configuring the credential helper in Docker config file:
{
  "credsStore": "osxkeychain"
}
  1. Manually adding credentials using the helper:
echo "https://example.com" | docker-credential-osxkeychain store

Getting Started

To use Docker Credential Helpers:

  1. Install the appropriate helper for your system:

    # For macOS
brew install docker-credential-helper

  2. Configure Docker to use the helper:

    # Edit ~/.docker/config.json
{
  "credsStore": "osxkeychain"
}

  3. Log in to a Docker registry:

    docker login example.com

The credentials will now be stored securely using the configured helper.

Competitor Comparisons

99designs logo

aws-vault

8,398

A vault for securely storing and accessing AWS credentials in development environments

Pros of aws-vault

  • Specifically designed for AWS credentials management
  • Supports temporary credential generation and role assumption
  • Offers MFA support and multiple backend options for credential storage

Cons of aws-vault

  • Limited to AWS ecosystem, not as versatile for other cloud providers
  • May require additional setup and configuration compared to simpler solutions

Code Comparison

aws-vault:

sess := session.Must(session.NewSessionWithOptions(session.Options{
    SharedConfigState: session.SharedConfigEnable,
}))
creds := stscreds.NewCredentials(sess, roleARN)

docker-credential-helpers:

creds, err := client.Get(serverURL)
if err != nil {
    log.Fatal(err)
}

Key Differences

  1. Scope: aws-vault focuses on AWS credentials, while docker-credential-helpers is more generic.
  2. Features: aws-vault offers advanced AWS-specific features, whereas docker-credential-helpers provides basic credential storage.
  3. Integration: docker-credential-helpers is tightly integrated with Docker, while aws-vault is standalone but AWS-centric.
  4. Complexity: aws-vault has more features but may be more complex to set up, while docker-credential-helpers is simpler but less feature-rich.

Both tools serve different purposes and can be valuable depending on the specific use case and ecosystem requirements.

hashicorp logo

vault

31,032

A tool for secrets management, encryption as a service, and privileged access management

Pros of Vault

  • More comprehensive secret management solution with advanced features like dynamic secrets, encryption as a service, and audit logging
  • Supports multiple authentication methods and fine-grained access control policies
  • Highly scalable and designed for enterprise-level deployments

Cons of Vault

  • More complex setup and configuration compared to docker-credential-helpers
  • Requires additional infrastructure and resources to run
  • Steeper learning curve for users and administrators

Code Comparison

docker-credential-helpers:

func (h *osxkeychain) Add(creds *credentials.Credentials) error {
    item := &keychain.Item{
        Service: creds.ServerURL,
        Account: creds.Username,
    }
    item.SetSecClass(keychain.SecClassGenericPassword)
    item.SetData([]byte(creds.Secret))
    return keychain.AddItem(item)
}

Vault:

func (b *backend) handleWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
    entry, err := logical.StorageEntryJSON(req.Path, data.Raw)
    if err != nil {
        return nil, err
    }
    if err := req.Storage.Put(ctx, entry); err != nil {
        return nil, err
    }
    return nil, nil
}
bitnami-labs logo

sealed-secrets

7,621

A Kubernetes controller and tool for one-way encrypted Secrets

Pros of sealed-secrets

  • Provides encryption for Kubernetes secrets, enhancing security
  • Allows version control of encrypted secrets alongside application code
  • Supports GitOps workflows by enabling secret management in Git repositories

Cons of sealed-secrets

  • Specific to Kubernetes environments, limiting its use in other contexts
  • Requires additional setup and management of the SealedSecret controller
  • May introduce complexity for teams not familiar with Kubernetes concepts

Code Comparison

sealed-secrets:

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  name: mysecret
spec:
  encryptedData:
    password: AgBy8hCM8...

docker-credential-helpers:

func (h osxkeychain) Add(creds *credentials.Credentials) error {
    // Add credentials to macOS Keychain
}

Key Differences

  • Purpose: sealed-secrets focuses on Kubernetes secret management, while docker-credential-helpers is for Docker credential storage
  • Scope: sealed-secrets is Kubernetes-specific, docker-credential-helpers supports various credential storage backends
  • Implementation: sealed-secrets uses custom Kubernetes resources, docker-credential-helpers integrates with system-level credential stores
  • Security model: sealed-secrets encrypts data for storage in Git, docker-credential-helpers leverages existing system security mechanisms

Both projects aim to improve secret management, but they target different use cases and environments.

getsops logo

sops

16,722

Simple and flexible tool for managing secrets

Pros of sops

  • Supports multiple cloud providers and key management systems
  • Encrypts entire files, not just individual credentials
  • Offers more flexible encryption options, including partial file encryption

Cons of sops

  • More complex setup and usage compared to docker-credential-helpers
  • Not specifically designed for Docker credentials, requiring additional configuration

Code Comparison

sops:

myapp:
    db:
        user: ENC[AES256_GCM,data:...] 
        password: ENC[AES256_GCM,data:...]

docker-credential-helpers:

{
  "ServerURL": "https://index.docker.io/v1/",
  "Username": "myuser",
  "Secret": "mysecret"
}

Key Differences

  1. Scope: sops is a general-purpose secret management tool, while docker-credential-helpers is specific to Docker credentials.
  2. Encryption: sops encrypts entire files or specific values, whereas docker-credential-helpers focuses on storing individual credentials.
  3. Integration: docker-credential-helpers integrates seamlessly with Docker, while sops requires additional setup for use with Docker.
  4. Flexibility: sops offers more options for encryption and key management, supporting various cloud providers and encryption methods.
  5. Complexity: docker-credential-helpers is simpler to use for Docker-specific tasks, while sops provides more advanced features at the cost of increased complexity.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

GitHub release PkgGoDev Build Status Codecov Go Report Card

Introduction

docker-credential-helpers is a suite of programs to use native stores to keep Docker credentials safe.

Installation

Go to the Releases page and download the binary that works better for you. Put that binary in your $PATH, so Docker can find it.

Building

You can build the credential helpers using Docker:

# install emulators
$ docker run --privileged --rm tonistiigi/binfmt --install all

# create builder
$ docker buildx create --use

# build credential helpers from remote repository and output to ./bin/build
$ docker buildx bake "https://github.com/docker/docker-credential-helpers.git"

# or from local source
$ git clone https://github.com/docker/docker-credential-helpers.git
$ cd docker-credential-helpers
$ docker buildx bake

Or if the toolchain is already installed on your machine:

1 - Download the source.

$ git clone https://github.com/docker/docker-credential-helpers.git
$ cd docker-credential-helpers

2 - Use make to build the program you want. That will leave an executable in the bin directory inside the repository.

$ make osxkeychain

3 - Put that binary in your $PATH, so Docker can find it.

$ cp bin/build/docker-credential-osxkeychain /usr/local/bin/

Usage

With the Docker Engine

Set the credsStore option in your ~/.docker/config.json file with the suffix of the program you want to use. For instance, set it to osxkeychain if you want to use docker-credential-osxkeychain.

{
  "credsStore": "osxkeychain"
}

With other command line applications

The sub-package client includes functions to call external programs from your own command line applications.

There are three things you need to know if you need to interact with a helper:

  1. The name of the program to execute, for instance docker-credential-osxkeychain.
  2. The server address to identify the credentials, for instance https://example.com.
  3. The username and secret to store, when you want to store credentials.

You can see examples of each function in the client documentation.

Available programs

  1. osxkeychain: Provides a helper to use the OS X keychain as credentials store.
  2. secretservice: Provides a helper to use the D-Bus secret service as credentials store.
  3. wincred: Provides a helper to use Windows credentials manager as store.
  4. pass: Provides a helper to use pass as credentials store.

Note

pass needs to be configured for docker-credential-pass to work properly. It must be initialized with a gpg2 key ID. Make sure your GPG key exists is in gpg2 keyring as pass uses gpg2 instead of the regular gpg.

Development

A credential helper can be any program that can read values from the standard input. We use the first argument in the command line to differentiate the kind of command to execute. There are four valid values:

  • store: Adds credentials to the keychain. The payload in the standard input is a JSON document with ServerURL, Username and Secret.
  • get: Retrieves credentials from the keychain. The payload in the standard input is the raw value for the ServerURL.
  • erase: Removes credentials from the keychain. The payload in the standard input is the raw value for the ServerURL.
  • list: Lists stored credentials. There is no standard input payload.

This repository also includes libraries to implement new credentials programs in Go. Adding a new helper program is pretty easy. You can see how the OS X keychain helper works in the osxkeychain directory.

  1. Implement the interface credentials.Helper in YOUR_PACKAGE/
  2. Create a main program in YOUR_PACKAGE/cmd/.
  3. Add make tasks to build your program and run tests.

License

MIT. See LICENSE for more information.