Notation CLI fails to login because of the missing credentials store
haoliangyu opened this issue · comments
I am trying to use the setup
action to install Notation CLI in a workflow to sing images in ECR. The workflow would look like this
name: test-image-signing
on:
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: setup Notation CLI
uses: notaryproject/notation-action/setup@v1
with:
version: "1.1.0"
- name: Setup AWS access
uses: test-org/a-custom-action@main
with:
environment: test
- name: Sign
shell: bash
run: |
region=us-east-1
ecr_url=123456789.dkr.ecr.$region.amazonaws.com
# this is successful
aws ecr get-login-password --region $region | docker login --username AWS --password-stdin $ecr_url
# this is NOT successful
aws ecr get-login-password --region $region | notation login --username AWS --password-stdin $ecr_url
I am trying to use the Notation CLI directly in bash, instead of using the sing
action, to sign images because our actual push-and-sign logic is a bit complex. However, when it tries to run the notation login
command, it fails with the message
Error: failed to log in to 123456789.dkr.ecr.us-east-1.amazonaws.com: the credential could not be saved because a credentials store is required to securely store the password. See https://notaryproject.dev/docs/how-to/registry-authentication/
Note that the docker login
does succeed and I can verify that the docker configuration exists at ~/.docker/config.json
. According to the notation documentation, it should resolve either the notation configuration or docker configuration. But it does not.
I am not sure if it is a problem with the action or the Notation CLI itself. If this is not the appropriate place to ask, this issue can be moved.
I figure out that the notation login
is not necessary if the docker login
is already done. So the authentication issue is addressed, though I am still not clear on why notation login
will throw a credentials store error in this case.
Thanks @haoliangyu for reporting this issue. As you figured out, notation login
was not necessary if users authenticated with docker login
. notation login
requires a credential store to save the credentials securely. However, if there is no credential store installed, docker login
can save the password with base64 encoding in config file. See https://docs.docker.com/engine/reference/commandline/login/#default-behavior. notation login
does not support this behavior as it is not secure. We recommend using credential store to manage your credentials securely. I will review the notation authentication related document to see any improvements on authentication.