Masking Docker Credentials in Amazon ECR Login Action

yyichenn commented 1 year ago

Background

The Amazon ECR Login GitHub Action allows users to login to their ECR Private or Public registry in a GitHub Actions workflow. The action is used in parallel with the configure-aws-credentials action in order to allow the login action to use the AWS CLI. It retrieves an auth token by calling ECR’s GetAuthorizationToken API and passes the token into a docker login command to enable pushing and pulling from ECR repositories in subsequent steps. This token is valid for 12 hours, and can only be used for ECR actions required for push and pull. The Docker credentials retrieved from the token are set as outputs, so customers can use them in other jobs in their workflow.

Issue

These Docker credentials are printed in the action logs if the workflow execution has debug logging enabled. This means that,

In public repositories, anyone who is logged in with a GitHub account can see the Docker credentials in the repository’s action logs.
In private repositories, anyone with read-access to the repository can see the Docker credentials in the repository’s action logs.

Solution

We added a parameter to begin allowing users to mask Docker credentials in their workflow as part of v1.7.0. However, the default behavior, as of v1.7.0, is to not mask the credentials. In order to adhere to security best practices, we have released a new major version of the action, v2, that masks the Docker credentials by default. This is a breaking change, and customers relying on these credentials being available in subsequent jobs will need to explicitly configure their action to not mask credentials.

For more information on how to migrate, please see https://github.com/aws-actions/amazon-ecr-login#new-v2-release.

bengotow commented 1 year ago

Hey gang, I see that the README and this issue request that I upgrade to aws-actions/amazon-ecr-login@v2, but trying to use that version in a github action results in this error:

Error: Unable to resolve action `aws-actions/amazon-ecr-login@v2`, unable to find version `v2`

Maybe the v2 update has not actually been published yet?

yyichenn commented 1 year ago

Hi , and thanks for reaching out.

v2 has not been released yet and the scheduled release date is October 02, 2023, PST. We apologize for any confusion.

tmpfs commented 1 year ago

@yyichenn, I just hit this. Would have been better to update the readme after the release tag has been pushed. Seems strange to document an unreleased release.

arjraman commented 1 year ago

v2 version has now been released.

samarthgowda96 commented 2 months ago

 Run aws-actions/amazon-ecr-login@v2
  with:
    mask-password:  "true"
    registry-type: private
    skip-logout: false
  env:
    AWS_ACCESS_KEY_ID: You are printing meeeee; just mask me pls

How do i mask the  secrets; i don't want them to appear in the logs

aws-actions / amazon-ecr-login