[ECR] [request]: Limit generated login password to 2500 characters or less

[MikeDombo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build?

Currently, ECR may generate Docker login passwords over 2500 characters (in my testing I see 2714 characters). This is an issue on Windows as Docker uses the wincred API to store the password securely. Wincred has a limit of 2500 characters for a password, so this will always fail on Windows. The only workaround is to remove or rename the docker-credential-wincred binary file to prevent Docker from using wincred. There is no configuration option possible to prevent Docker from using wincred if it is available.

Therefore, ECR should limit the generated password length to 2500 characters or less to support better Windows default installations.

One way to achieve this would be to generate a smaller random blob of data (256 bits of randomness for example) for the password and then when authenticating requests, lookup that blob as the primary key in a table and map it to the larger blob (2714 characters) which contains the necessary authentication/authorization data. This way not much on the backend needs to change except for an initial lookup in a table to get to the data which is currently expected.

Which service(s) is this request for? This could be Fargate, ECS, EKS, ECR

ECR

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

Described above.

Here are issues from other customers who are affected by this problem: https://github.com/aws-greengrass/aws-greengrass-nucleus/issues/1140 https://github.com/aws/aws-cli/issues/5636

For Greengrass specifically, we do not want to require our users to perform any additional setup. Simply installing Docker and then using Docker in Greengrass ought to work out of the box. The impact of not solving this issue is that customers on Windows using Greengrass will not be able to use Docker and ECR together without using some manual workaround and that manual workaround is not secure as the password is stored on disk in plain text.

Are you currently working around this issue? How are you currently solving this problem?

Additional context Anything else we should know?

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[jozefizso]

We just hit this bug and it was terrible to troubleshoot it. As the AWS password is dependent on the git branch name, we were seeing random login failures which apparent link between git branch name and eventually docker storing the AWS password to Windows Credentials Store.