Bootstrapping docker registry authentication for dev containers (Rancher Desktop macOS)

[shaunmlowry]

Hi

I'm using rancher desktop to support a dev container use case on macOS and one of the images we use to build our dev container is hosted in a private registry. Before you can download this image, you need to be logged in to the registry. I have access to both Amazon ECR and GitHub Container Registry so they're both options for hosting this image. My problem is bootstrapping the credentials necessary to download from either on dev container initialization.

The dev container metadata spec contains the following option:

initializeCommand: A command string or list of command arguments to run on the host machine during initialization, including during container creation and on subsequent starts. The command may run more than once during a given session.

⚠️ The command is run wherever the source code is located on the host. For cloud services, this is in the cloud.

Note that the array syntax will execute the command without a shell. You can learn more about formatting string vs array vs object properties.

I'd like to perform the authentication step in the initializeCommand and in a macOS shell, both of the following work:

GHCR:

docker login  --username <github_username> --password $(gh auth token) ghcr.io

AWS ECR:

aws sso login --profile <profile> && AWS_PROFILE=<profile> aws ecr get-login-password --region <region> | docker login --username AWS --password-stdin <registry_host>

However, when using dev containers in rancher desktop the host machine used to execute the initializeCommand is the lima vm where neither of these mechanisms seem to work. I can get close with GHCR by installing the github CLI in the lima VM and running gh auth login before using gh auth token, however this results in a github OAuth token being store in plain text in the VM, whereas on macOS (or a bare-metal linux) this token would be stored securely in the OS keychain.

My question is, does anybody know a way to:

1. access a github OAuth token stored in the macOS host's keychain from within the VM
2. enable a secure keychain in the VM that could store a fresh OAuth token
3. enable the AWS ECR login flow in the VM or
4. any other way to log in to a docker registry securely from the VM?