Masking Docker Credentials in Amazon ECR Login Action
yyichenn opened this issue · 5 comments
Background
The Amazon ECR Login GitHub Action allows users to login to their ECR Private or Public registry in a GitHub Actions workflow. The action is used in parallel with the configure-aws-credentials action in order to allow the login action to use the AWS CLI. It retrieves an auth token by calling ECR’s GetAuthorizationToken API and passes the token into a docker login command to enable pushing and pulling from ECR repositories in subsequent steps. This token is valid for 12 hours, and can only be used for ECR actions required for push and pull. The Docker credentials retrieved from the token are set as outputs, so customers can use them in other jobs in their workflow.
Issue
These Docker credentials are printed in the action logs if the workflow execution has debug logging enabled. This means that,
-
In public repositories, anyone who is logged in with a GitHub account can see the Docker credentials in the repository’s action logs.
-
In private repositories, anyone with read-access to the repository can see the Docker credentials in the repository’s action logs.
Solution
We added a parameter to begin allowing users to mask Docker credentials in their workflow as part of v1.7.0. However, the default behavior, as of v1.7.0, is to not mask the credentials. In order to adhere to security best practices, we have released a new major version of the action, v2, that masks the Docker credentials by default. This is a breaking change, and customers relying on these credentials being available in subsequent jobs will need to explicitly configure their action to not mask credentials.
For more information on how to migrate, please see https://github.com/aws-actions/amazon-ecr-login#new-v2-release.
Hey gang, I see that the README and this issue request that I upgrade to aws-actions/amazon-ecr-login@v2, but trying to use that version in a github action results in this error:
Error: Unable to resolve action `aws-actions/amazon-ecr-login@v2`, unable to find version `v2`
Maybe the v2 update has not actually been published yet?
Hi , and thanks for reaching out.
v2 has not been released yet and the scheduled release date is October 02, 2023, PST. We apologize for any confusion.
@yyichenn, I just hit this. Would have been better to update the readme after the release tag has been pushed. Seems strange to document an unreleased release.
v2 version has now been released.
Run aws-actions/amazon-ecr-login@v2
with:
mask-password: "true"
registry-type: private
skip-logout: false
env:
AWS_ACCESS_KEY_ID: You are printing meeeee; just mask me pls
How do i mask the secrets; i don't want them to appear in the logs