Fix authentication priority: AWS-native -> docker login -> credHelpers -> credsStore

rasmusfaber · rasmusfaber · commit 5cfdf260e71d · 2025-06-13T13:16:41.000+02:00
Signed-off-by: Rasmus Faber-Espensen &lt;rfaber@gmail.com&gt;
diff --git a/oras/auth/base.py b/oras/auth/base.py
@@ -102,19 +102,19 @@ def _load_auth(self, hostname: str) -> bool:
                 return False
             self._basic_auth = auth
             return True
-        # Check for credsStore:
-        if self._auth_config.get("credsStore"):
+        # Check for credHelper
+        if self._auth_config.get("credHelpers", {}).get(hostname):
             auth = self._get_auth_from_creds_store(
-                self._auth_config["credsStore"], hostname
+                self._auth_config["credHelpers"][hostname], hostname
             )
             if auth is not None:
                 self._basic_auth = auth
                 auths[hostname] = {"auth": auth}
                 return True
-        # Check for credHelper
-        if self._auth_config.get("credHelpers", {}).get(hostname):
+        # Check for credsStore:
+        if self._auth_config.get("credsStore"):
             auth = self._get_auth_from_creds_store(
-                self._auth_config["credHelpers"][hostname], hostname
+                self._auth_config["credsStore"], hostname
             )
             if auth is not None:
                 self._basic_auth = auth
diff --git a/oras/auth/ecr.py b/oras/auth/ecr.py
@@ -3,23 +3,31 @@
 __license__ = "Apache-2.0"
 
 import re
+from typing import Optional
 
 import requests
 
 import oras.auth.utils as auth_utils
 from oras.auth.token import TokenAuth
 from oras.logger import logger
+from oras.types import container_type
 
 
 class EcrAuth(TokenAuth):
     """
     Auth backend for AWS ECR (Elastic Container Registry) using token-based authentication.
     """
+    AWS_ECR_PATTERN = re.compile(r"(?P<account_id>\d{12})\.dkr\.ecr\.(?P<region>[^.]+)\.amazonaws\.com")
+    AWS_ECR_REALM_PATTERN = re.compile(r"https://(?P<account_id>\d{12})\.dkr\.ecr\.(?P<region>[^.]+)\.amazonaws\.com/")
 
     def __init__(self):
         super().__init__()
         self._tokens = {}
 
+    def load_configs(self, container: container_type, configs: Optional[list] = None) -> None:
+        if not self.AWS_ECR_PATTERN.fullmatch(container.registry):
+            super().load_configs(container, configs)
+
     def authenticate_request(
         self, original: requests.Response, headers: dict, refresh=False
     ):
@@ -46,7 +54,7 @@ def authenticate_request(
         token = self._tokens.get(h.realm)
         if not token or refresh:
             m = re.fullmatch(
-                r"https://(?P<account_id>\d{12})\.dkr\.ecr\.(?P<region>[^.]+)\.amazonaws\.com/",
+                self.AWS_ECR_REALM_PATTERN,
                 h.realm,
             )
             if not m:
