Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows credential helper doesn't support passwords greater than 2,500 characters in length #190

Open
dougrday opened this issue Nov 6, 2020 · 12 comments
Open

Windows credential helper doesn't support passwords greater than 2,500 characters in length #190

dougrday opened this issue Nov 6, 2020 · 12 comments

Comments

@dougrday
Copy link

dougrday commented Nov 6, 2020
edited
Loading

When authenticating Docker with AWS, the recommend practice from AWS is this:

aws ecr get-login-password | docker login --username AWS --password-stdin <registry>

When AWS SSO is enabled, the value returned from get-login-password is greater than 2,500 characters in length, which causes the credential helper to fail. I've tested with both the desktop helper and wincred helper, both of which fail with this message:

Error saving credentials: error storing credentials - err: exit status 1, out: 'The stub received bad data.'

This is a fairly blocking issue for Windows developers, as they cannot log into the Docker registry if the authentication secret is large enough.
@dougrday dougrday mentioned this issue Nov 6, 2020
Open
2 tasks
@dougrday
Copy link
Author

dougrday commented Nov 6, 2020

It looks like there are similar problems with Azure SSO: aws/aws-cli#5636 (comment)

@dougrday dougrday changed the title Windows credential manager doesn't support passwords greater than 2,500 characters in length Windows credential helper doesn't support passwords greater than 2,500 characters in length Nov 6, 2020
@dougrday
Copy link
Author

dougrday commented Nov 6, 2020

Also this: awslabs/amazon-ecr-credential-helper#229 (comment)

@Anthropic
Copy link

Curious is this new @dougrday ?
I started hitting this today, but I haven't tried since the company started using SSO a few months back.
Praying this worked in an old version I can switch to as I have just spent a whole day trying to get it working before I found this.

@feinoujc feinoujc mentioned this issue Nov 12, 2020
Closed
@dandobrescu
Copy link

@Anthropic I don't have any issues with the old version, but I guess you also saw that yourself. It only happens when using permissions generated through SSO, and only if docker uses Windows Credential Manager

@dougrday
Copy link
Author

I haven't tried myself, but my teammates have reported that the 2.3.x versions don't exhibit this problem.

As a temporary workaround, I've created this credential helper that stored the SSO credentials in plaintext in Windows. Our SSO tokens are only valid for a few hours, so the window of risk of plaintext goes down, but I still consider this a workaround, not a solution.

If anyone needs a stop-gap to keep working, here it is: https://github.com/dougrday/docker-credential-plaintext

@Anthropic
Copy link

I got around it by deleting credsStore values from all docker config.json files (both in Windows and Ubuntu) it seems to work now. Obviously this issue being resolved would be the better option, thank you for your time 👍

@jeremyjpaws jeremyjpaws mentioned this issue Dec 29, 2020
Closed
@tjohanssonn
Copy link

I haven't tried myself, but my teammates have reported that the 2.3.x versions don't exhibit this problem.

As a temporary workaround, I've created this credential helper that stored the SSO credentials in plaintext in Windows. Our SSO tokens are only valid for a few hours, so the window of risk of plaintext goes down, but I still consider this a workaround, not a solution.

If anyone needs a stop-gap to keep working, here it is: https://github.com/dougrday/docker-credential-plaintext

Thank you very much for providing this temporary workaround.

I have my code inside WSL, and found that I also had to add the file extension in ~/.docker/config.json:

{
  "credHelpers": {
    "my-private-repo": "plaintext.sh"
  },
  "credsStore": "desktop.exe"
}

Note that this is the config file inside WSL. I took me a little too long to understand why docker complained about not finding it in the $PATH. The ".exe" on the credsStore should've given me a hint...

@stevemk14ebr
Copy link

stevemk14ebr commented May 26, 2021
edited
Loading

This still occurs! Confirmed removing credStore entry fixes with sso

@SuchismitaGoswami
Copy link

SuchismitaGoswami commented Aug 13, 2021
edited
Loading

I tried all the solution mentioned here. Nothing worked for me. Tried this workaround as below

  echo '{"auths": {"https://index.docker.io/v1/": {}}, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.12 (windows)"}}' > ~/.docker/config.json
  aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com

It worked. Posting it here if anyone finds it useful

@erenken
Copy link

erenken commented Sep 25, 2021

I tried all the solution mentioned here. Nothing worked for me. Tried this workaround as below

  echo '{"auths": {"https://index.docker.io/v1/": {}}, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.12 (windows)"}}' > ~/.docker/config.json
  aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com

It worked. Posting it here if anyone finds it useful

This worked perfectly for me. Thanks!

mook-as added a commit to mook-as/rd that referenced this issue Aug 26, 2022
@mook-as
E2E: credentials-server: skip long data tests on Windows.
11a5acd 
These tests are failing on Windows because the native executable backing
them is failing (docker-credential-wincred.exe).  When running these tests,
we get an error saying "The stub received bad data." (which appears to be
the Win32 error message for RPC_X_BAD_STUB_DATA).

Ref: docker/docker-credential-helpers#190

Signed-off-by: Mark Yen <mark.yen@suse.com>
mook-as added a commit to mook-as/rd that referenced this issue Aug 26, 2022
@mook-as
E2E: credentials-server: skip long data tests on Windows.
7a0d7fd 
These tests are failing on Windows because the native executable backing
them is failing (docker-credential-wincred.exe).  When running these tests,
we get an error saying "The stub received bad data." (which appears to be
the Win32 error message for RPC_X_BAD_STUB_DATA).

Ref: docker/docker-credential-helpers#190

Signed-off-by: Mark Yen <mark.yen@suse.com>
@mook-as mook-as mentioned this issue Aug 26, 2022
Merged
mook-as added a commit to mook-as/rd that referenced this issue Aug 26, 2022
@mook-as
E2E: credentials-server: skip long data tests on Windows.
ea72369 
These tests are failing on Windows because the native executable backing
them is failing (docker-credential-wincred.exe).  When running these tests,
we get an error saying "The stub received bad data." (which appears to be
the Win32 error message for RPC_X_BAD_STUB_DATA).

Ref: docker/docker-credential-helpers#190

Signed-off-by: Mark Yen <mark.yen@suse.com>
@crazy-max crazy-max mentioned this issue Oct 24, 2023
Open
@DeliDro
Copy link

DeliDro commented Jun 21, 2024

I tried all the solution mentioned here. Nothing worked for me. Tried this workaround as below

  echo '{"auths": {"https://index.docker.io/v1/": {}}, "HttpHeaders": { "User-Agent": "Docker-Client/19.03.12 (windows)"}}' > ~/.docker/config.json
  aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com

It worked. Posting it here if anyone finds it useful

Worked for me, thanks

  • Docker Desktop version : 26.1.4
  • Debian on WSL Version 2

@BeyondEvil
Copy link

This is still a problem and the workaround can't be used in Github Actions on Windows runners.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@dougrday @Anthropic @stevemk14ebr @tjohanssonn @BeyondEvil @erenken @SuchismitaGoswami @DeliDro @dandobrescu