I need plain text credentials in my config.json, how do I disable this if it is enabled?

[red8888]

On windows it defaults to using this provider so when I run docker login sensitive info isn't saved to the config.json. This is good but I need to disable it, I need these creds to be plain text to support a specific service.

This is very frustrating because I can't find any info on how to disable wincred (or even uninstall it). There has to be a way to turn it off temporarily so I can generate a config.json with my creds in plain text.

[vdemeester]

@red8888 Reading https://docs.docker.com/engine/reference/commandline/login/#credentials-store I think explicitely putting an empty value in the credsStore value in ~/.docker/config.json instead of wincred should do the trick 👼

[tahonaPL]

Not working, docker login put wincred in empty place.

[cmorty]

This does not work for Windows Docker Enterprise 18.09.5

[ijc]

I don't know how one would translate this into a Windows equivalent but LinuxKit calls the credhelper itself to extract the values: https://github.com/linuxkit/linuxkit/blob/master/scripts/push-manifest.sh#L52...L54

If you could replicate that on Windows (In powershell perhaps?) then you could write your own config.json in some tempdir and point your service at that instead of the real one perhaps?

[cmorty]

Ok, seems like manually copying wincred into the docker installation folder fixes things. 18.09.2 worked just fine.

[dpalinic]

Hello guys. I'm having the same issue on ubuntu 18. In credStore there's pass configured and no matter what I do, I can't disable it.

1. If I remove pass value from credStore and try to docker login I get error that pass is not initialized
2. If I delete .docker/config.json, I got same as 1.

Is there a way to disable this? I want my plain text back again.

Thanks

[DouglasHeriot]

Also keen to get plain text only credentials. I'm connecting to AWS ECR so the credentials are only valid for a few hours anyway.

[verglor]

If you have WSL enabled you can use wsl docker --config . login to store plain text config.json in current directory.

[jimtang2]

I just got the auth hash after setting the credsStore value to "" followed by docker login.

[pleonex]

The workaround is not working anymore. In the latest version for us Docker is overwriting the value and using wincred again. It has broken our build and release pipelines. There are also many people reporting that in the for-mac repo and as always, so far no reply from Docker guys...

Linked issues (probably way more, especially closed by our hated Docker bot):

• Disable credsStore? moby/moby#32733
• docker build fails to pull base image from private repository moby/moby#33252
• BUG: docker-compose running on Windows doesn't pull images from private Registry moby/moby#26198
• Docker login to registry in windows server 2016 - Error saving credentials cli#1263
• Add support for explicit credsStore: "file" option to avoid using native creds-stores cli#1219
• Credential helpers are used even if they are not configured for-win#6043
• Unable to login into private registry using ssh for-win#2856
• Credential helpers are used even if they are not configured for-win#5020
• Disable credsStore? for-mac#1584
• How to create normal .docker/config.json auth file for-mac#4100
• config.json still contains "credsStore" : "osxkeychain" after disabling "Securely store docker logins in macOS keychain" feature for-mac#4192
• Break the unofficial workarounds for:
  • Error saving credentials: error storing credentials - err: exit status 1, out: The user name or passphrase you entered is not correct. when using docker login -u _json_key -p "$(cat developer-key.json)" https://gcr.io for-mac#2295
  • Docker login command accesses random KeyChain entries and fails #65
  • Unable to push to AWS when using wincred store #22

We need an actual value that tells Docker to not use any external credential, just base64 as before. We don't need workarounds of "set it to empty", "remove it from the file" or "delete the binaries from the Docker installation" because after each update the behavior of that "empty / not present" value changes.

It's ok to break things. We are software developers, we do it all the time. But please, just reply to any of the issues. Listen the community, we are taking our work time to investigate and report them. Try to help and stop auto-closing issues because no one from the dev team replied. After reading all of these unanswered issues I am feeling no one cares about the issues we report.

[pleonex]

The issue could be here:

https://github.com/docker/cli/blob/b350e14b1f83e1870a234ff2c554450707218204/cli/config/config.go#L143-L144

That it's getting the default storage when the value from the configuration file is empty. The default storage is the one from the platform even when the user specifies empty.

https://github.com/docker/cli/blob/b350e14b1f83e1870a234ff2c554450707218204/cli/config/credentials/default_store.go#L9-L21

and here it creates the "native" credential store instead of the "file" one as we want:

https://github.com/docker/cli/blob/f7185d27e165c50c55c898720fec38b37a751393/cli/config/configfile/file.go#L280

but according to these function, if we set the credHelpers of our repository to empty, it will use the "file" store

https://github.com/docker/cli/blob/f7185d27e165c50c55c898720fec38b37a751393/cli/config/configfile/file.go#L280

I have tested that workaround and now it works again! Update: it doesn't work Let's see for how much time since this doesn't seem to be well supported. New config file:

{
	"auths": {},
	"HttpHeaders": {
		"User-Agent": "Docker-Client/19.03.8 (windows)"
	},
	"credsStore": "wincred",
	"credHelpers": {
		"MY_PRIVATE_REPOSITORY_URL": ""
	}
}

[pleonex]

The workaround doesn't fully work as Docker decides to wipe out my config file and remove all the credHelpers. I have to create scripts to re-create this config file every time we do a docker push.

We are starting to consider migrating to Podman and Buildah, it's just incredible that we don't get any answer for these bugs reported for several years, with workarounds that need to be changed and investigated in every Docker update....

[Kabal163]

Docker team, any updates? I have the same problem and no workarounds work...

[Cheaterman]

That's fairly annoying, to be honest. I feel like it's pretty standard to have your CD runner log into your docker registry while headless, and that would fail if target machine has gnome-keyring (rather docker-credential-secretservice) installed. Installing docker-credential-pass is somewhat of a solution in my situation though, unlike OP.

[alexanderilyin]

My Workaround

Hiding docker-credential-pass from which / PATH and using separate config for example $PWD/.docker/config.json is required to make both Base64 and pass to work on same host for same user, you will just have to run different commands for each method.

• Do not put docker-credential-pass. Put it to $PWD/bin/docker-credential-pass and update $PATH before calling any docker command, for example:

  PATH=$PWD/bin/docker-credential-pass:$PATH docker login ...
  

• Use custom config.json to store desired credsStore state, for example:

  PATH=$PWD/bin/docker-credential-pass:$PATH docker login --config $PWD/.docker/ ...
  

Base64

docker login ...
# Reading $HOME/.docker/config.json

pass

Note that --config accepts directory and NOT a filename.

PATH=$PWD/bin/docker-credential-pass:$PATH docker login --config $PWD/.docker/ ...
# Reading $PWD/.docker/config.json

[bennahugo]

apt remove golang-docker-credential-helpers worked for me

This uninstalls
The following packages will be REMOVED:
docker-compose golang-docker-credential-helpers python-docker python-dockerpycreds

This means I cannot use docker-compose, but I would rather start my containers with a normal shell script than it popping up GUI based key managers all the time

Running: ubuntu 18.04

$ docker --version
Docker version 20.10.7, build 20.10.7-0ubuntu5~18.04.3

[tiejunhu]

Just encountered this issue on Mac/Monterey with latest Docker desktop 4.5.0(74594). The workaround is:

1. remove all docker-credential-* from /Applications/Docker.app/Contents/Resources/bin/
2. remove credsStore and auth key from ~/.docker/config.json
3. do docker login, if you get this warning, you are good to go:

[2022-02-25 14:18:33] WARNING! Your password will be stored unencrypted in xxx/.docker/config.json.
[2022-02-25 14:18:33] Configure a credential helper to remove this warning. See
[2022-02-25 14:18:33] https://docs.docker.com/engine/reference/commandline/login/#credentials-store

[henriquevcosta]

Just encountered this issue on Mac/Monterey with latest Docker desktop 4.5.0(74594). The workaround is:

1. remove all docker-credential-* from /Applications/Docker.app/Contents/Resources/bin/

2. remove credsStore and auth key from ~/.docker/config.json

3. do docker login, if you get this warning, you are good to go:

[2022-02-25 14:18:33] WARNING! Your password will be stored unencrypted in xxx/.docker/config.json.
[2022-02-25 14:18:33] Configure a credential helper to remove this warning. See
[2022-02-25 14:18:33] https://docs.docker.com/engine/reference/commandline/login/#credentials-store

I tried just temporarily moving them to a new name (they were actually symlinks in /usr/local/bin, renamed the symlinks) and renaming them back after logging in and so far so good.

[ccsalway]

Here's the solution I came up with - a python script that handles the store, get commands

docker-credential-plaintext.py

#!/usr/bin/env python3

import json
import os
import sys

_data = None
_args = sys.argv  # action
_stdin = sys.stdin.read().strip()
_dir = os.environ['DOCKER_CONFIG']
creds_file = f'{_dir}/creds.json'

if os.path.isfile(creds_file):
    with open(creds_file, 'r') as f:
        _data = f.read()

creds = json.loads(_data) if _data else {}

if _args[1] == 'store':
    input = json.loads(_stdin)  # ServerURL,Username,Secret:dict
    creds[input['ServerURL']] = {
        "Username": input['Username'],
        "Secret": input['Secret']
    }
    with open(creds_file, 'w') as f:
        json.dump(creds, f, indent=2)

elif _args[1] == 'get':
    input = _stdin  # ServerURL:str
    if input in creds:
        print(json.dumps(creds[input]))

Example usage:

cp -f docker-credential-plaintext.py /usr/local/bin/docker-credential-plaintext
chmod +x /usr/local/bin/docker-credential-plaintext

export DOCKER_CONFIG="$(pwd)/.docker"
mkdir -p "$DOCKER_CONFIG"
echo '{"credsStore": "plaintext"}' > "$DOCKER_CONFIG/config.json"

docker --config "$DOCKER_CONFIG" login --username USERNAME --password PASSWORD REPOSITORY
docker push REPOSITORY/IMAGE:TAG