containertool: Read default username and password from the environment#119
Merged
euanh merged 1 commit intoapple:mainfrom Apr 28, 2025
Merged
containertool: Read default username and password from the environment#119euanh merged 1 commit intoapple:mainfrom
euanh merged 1 commit intoapple:mainfrom
Conversation
Add environment variable equivalents for the `--username` and
`--password` command line flags. These variables are more convenient
than .netrc when working with registries which use short-lived
credentials, such as ECR:
export CONTAINERTOOL_USERNAME=AWS
export CONTAINERTOOL_PASSWORD=$(aws ecr get-login-password --region us-west-2)w0
swift run containertool --repository \
123456789012.dkr.ecr.us-west-2.amazonaws.com/hello/world \
.build/x86_64-swift-linux-musl/debug/hello-world
N.B. These flags are used as default credentials if no matching
entries are found in .netrc - potentially they should be called
`--default-username` and `--default-password` to make this clearer.
In the example above, if .netrc contains credentials for
123456789012.dkr.ecr.us-west-2.amazonaws.com they will be used in
preference to the credentials in the environment variables.
To avoid this, credentials which are not intended to be used should
be removed from .netrc.
Fixes apple#105
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The
--usernameand--passwordoptions allow default credentials to be defined. These are used if a corresponding entry cannot be found in.netrc, or if the--disable-netrcflag is set. (--usernameand--passwordshould possibly be renamed to--default-usernameand--default-passwordto make this clearer.)Specifying passwords as command line arguments is generally discouraged because they will then be visible in the the output of tools such as
psandtop. Providing credentials in environment variables avoids this problem, although there may still be other ways for users on the same machine to discover their values.Environment variables are also more convenient than
.netrcwhen uploading to registries which use short-lived credentials, such as ECR:In the example above, if .netrc contains credentials for 123456789012.dkr.ecr.us-west-2.amazonaws.com they will be used in preference to the credentials in the environment variables. To avoid this, credentials which are not intended to be used should be removed from .netrc.
Modifications
If the
--usernameor--passwordflags are not present on the command line, use the values of theCONTAINERTOOL_USERNAMEorCONTAINERTOOL_PASSWORDenvironment variables - if defined - as the default credentials.Result
.netrcfrequently.Fixes #105
Test Plan
All existing tests continue to pass.
Tested manually with a registry using short-lived credentials.