Colima: Don't keep docker credentials in the clear

 · 1 min · torgeir

I don't enjoy configuration files with secrets kept in plaintext. Here's how to move docker credentials to the macos keychain when you are running colima.

Macos Colima Docker Nix

Ever since Docker Desktop became paid software, I run colima on the mac. By default, this setup will end up storing docker login credentials in the clear, in ~/.docker/config.json.

I don’t enjoy that. Here’s how to fix it.

Wipe ~/.docker/config.json and run docker logout. To instruct docker to use the macos keychain as the docker credential store, replace it with this

{
  "credsStore": "osxkeychain",
  "currentContext": "colima"
}

For this to work, you also need to install docker-credential-osxkeychain. Docker provides a bunch of these credential helpers over at docker/docker-credential-helpers. With nix, installing this a matter of adding docker-credential-helpers and rebuilding.

home.packages = with pkgs; [
  docker
  docker-credential-helpers
];

Now docker will put your credentials in the macos keychain when you log in. E.g. like this for the GitHub Container Registry

gh auth token \
  | docker login ghcr.io -u USERNAME --password-stdin

My full nix setup for docker with colima as of today, looks like this

{ pkgs, ... }: {

  home.packages = with pkgs; [

    # nix 23.11 is colima 0.5.6
    # https://github.com/abiosoft/colima/issues/913
    # unstable is colima 0.6.8
    pkgs.unstable.colima # colima start --edit to tune its resources

    docker
    docker-compose
    docker-credential-helpers
  ];
}

Now, ~/.docker/config.json looks like this.

{
  "auths": {
    "ghcr.io": {}
  },
  "credsStore": "osxkeychain",
  "currentContext": "colima"
}

Secrets be gone!

🔒