How to use the deploy token correctly


#1

I will use the gitlab container registry for a private docker image. When the project is public I can download the docker image with docker login registry.gitlab.com/user/jupyterhub

Is the project private so I need a DEPLOY TOKEN. and a PASSWORD

PASSWORD = KzErTBKAnwNEpxwVWU9g
DEPLOY USER = gitlab+deploy-token-28155

docker login registry.example.com -u gitlab+deploy-token-28155 -p KzErTBKAnwNEpxwVWU9g and I can login into the registry

I get two warnings:

WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /home/klein/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

How to solve this problems?

When I set in the Variables CI_DEPLOY_USER and CI_DEPLOY_PASSWORD then gitlab ask for a password.
docker login registry.gitlab.com -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD


#2

The password is insecure because it can be examined by malicious users with a simple ps -auxw.

Can be solved by using a pipe to pass the password via stdin:

echo "$CI_DEPLOY_PASSWORD" | docker login registry.gitlab.com --username=$CI_DEPLOY_USER --password-stdin

(echo isn’t visible within the process list, because it is a shell-builtin function)

BTW: You can ignore this warnings in GitLab CI.


#3

@gerald Can we ignore that even in public projects (where the ci/cd logs may be public too?).
In other words: if someone gets the deploy_user and deploy_password, he can not do something bad with it?
A few days ago I was asking myself this question and found nothing about it in the documentation.


#4

@skanto in your gitlab-ci.yml you can write

docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN $CI_REGISTRY

to login to the Docker repository of your project with a temporary password.

You can use secret variables to hide passwords if you want to push to another repository.