From 267025743f10e892399457dd7df4e5e97f0c342b Mon Sep 17 00:00:00 2001 From: Natalie Arellano Date: Tue, 9 Apr 2024 10:26:44 -0400 Subject: [PATCH] Fix auth by wrapping keychain in a ResolvedKeychain Prior to https://github.com/buildpacks/lifecycle/pull/1315, all keychains passed to NewMultiKeychain were resolved keychains, which prevented the credentials from becoming inaccessible after the lifecycle dropped privileges. Signed-off-by: Natalie Arellano --- auth/keychain.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/auth/keychain.go b/auth/keychain.go index 1bde34e0e..8b74799d2 100644 --- a/auth/keychain.go +++ b/auth/keychain.go @@ -38,13 +38,15 @@ func DefaultKeychain(images ...string) (authn.Keychain, error) { return nil, err } - keychains := []authn.Keychain{envKeychain, authn.DefaultKeychain} - + keychains := []authn.Keychain{ + envKeychain, + NewResolvedKeychain(authn.DefaultKeychain, images...), + } if vendorKeychainEnabled("amazon") { - keychains = append(keychains, amazonKeychain) + keychains = append(keychains, NewResolvedKeychain(amazonKeychain, images...)) } if vendorKeychainEnabled("azure") { - keychains = append(keychains, azureKeychain) + keychains = append(keychains, NewResolvedKeychain(azureKeychain, images...)) } return authn.NewMultiKeychain(