Ever since Docker Desktop became paid software, I run colima on the mac. By default, this setup will end up storing docker login credentials in the clear, in ~/.docker/config.json.
I don’t enjoy that. Here’s how to fix it.
Wipe ~/.docker/config.json and run docker logout. To instruct docker to use the macos keychain as the docker credential store
, replace it with this
{
"credsStore": "osxkeychain",
"currentContext": "colima"
}
For this to work, you also need to install docker-credential-osxkeychain. Docker provides a bunch of these credential helpers over at docker/docker-credential-helpers
. With nix, installing this a matter of adding docker-credential-helpers
and rebuilding.
home.packages = with pkgs; [
docker
docker-credential-helpers
];
Now docker will put your credentials in the macos keychain when you log in. E.g. like this for the GitHub Container Registry
gh auth token \
| docker login ghcr.io -u USERNAME --password-stdin
My full nix setup for docker with colima as of today, looks like this
{ pkgs, ... }: {
home.packages = with pkgs; [
# nix 23.11 is colima 0.5.6
# https://github.com/abiosoft/colima/issues/913
# unstable is colima 0.6.8
pkgs.unstable.colima # colima start --edit to tune its resources
docker
docker-compose
docker-credential-helpers
];
}
Now, ~/.docker/config.json looks like this.
{
"auths": {
"ghcr.io": {}
},
"credsStore": "osxkeychain",
"currentContext": "colima"
}
Secrets be gone!
🔒