ko-build · imjasonh · Feb 8, 2022 · Feb 2, 2022
diff --git a/README.md b/README.md
@@ -69,6 +69,19 @@ logging in to a container image registry with a username and password, similar
 to
 [`docker login`](https://docs.docker.com/engine/reference/commandline/login/).
 
+Additionally, if auth is not configured in the Docker config, `ko` includes
+built-in support for authenticating to the following container registries using
+credentials configured in the environment:
+
+- Google Container Registry and Artifact Registry
+  - using [Application Default Credentials](https://cloud.google.com/docs/authentication/production) or auth configured in `gcloud`.
+- Amazon Elastic Container Registry
+  - using [AWS credentials](https://github.com/awslabs/amazon-ecr-credential-helper/#aws-credentials)
+- Azure Container Registry
+  - using [environment variables](https://github.com/chrismellard/docker-credential-acr-env/)
+- GitHub Container Registry
+  - using the `GITHUB_TOKEN` environment variable
+
 ## Choose Destination
 
 `ko` depends on an environment variable, `KO_DOCKER_REPO`, to identify where it

diff --git a/go.mod b/go.mod
@@ -3,13 +3,15 @@ module github.com/google/ko
 go 1.16
 
 require (
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21
 	github.com/containerd/stargz-snapshotter/estargz v0.11.0
 	github.com/docker/docker v20.10.12+incompatible
 	github.com/dprotaso/go-yit v0.0.0-20191028211022-135eb7262960
 	github.com/fsnotify/fsnotify v1.5.1
 	github.com/go-training/helloworld v0.0.0-20200225145412-ba5f4379d78b
 	github.com/google/go-cmp v0.5.7
-	github.com/google/go-containerregistry v0.8.1-0.20220127202146-ad9088610094
+	github.com/google/go-containerregistry v0.8.1-0.20220207182237-33725d2d7add
 	github.com/mattmoor/dep-notify v0.0.0-20190205035814-a45dec370a17
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198
 	github.com/sigstore/cosign v1.3.2-0.20211120003522-90e2dcfe7b92

diff --git a/go.sum b/go.sum
diff --git a/pkg/commands/config.go b/pkg/commands/config.go
@@ -25,17 +25,34 @@ import (
 	"strings"
 	"time"
 
+	ecr "github.com/awslabs/amazon-ecr-credential-helper/ecr-login"
+	"github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api"
+	"github.com/chrismellard/docker-credential-acr-env/pkg/credhelper"
 	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/authn/github"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/daemon"
+	"github.com/google/go-containerregistry/pkg/v1/google"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 
 	"github.com/google/ko/pkg/build"
 	"github.com/google/ko/pkg/commands/options"
 	"github.com/google/ko/pkg/publish"
 )
 
+var (
+	amazonKeychain authn.Keychain = authn.NewKeychainFromHelper(ecr.ECRHelper{ClientFactory: api.DefaultClientFactory{}})
+	azureKeychain  authn.Keychain = authn.NewKeychainFromHelper(credhelper.NewACRCredentialsHelper())
+	keychain                      = authn.NewMultiKeychain(
+		authn.DefaultKeychain,
+		google.Keychain,
+		github.Keychain,
+		amazonKeychain,
+		azureKeychain,
+	)
+)
+
 // getBaseImage returns a function that determines the base image for a given import path.
 func getBaseImage(bo *options.BuildOptions) build.GetBase {
 	cache := map[string]build.Result{}
@@ -50,7 +67,7 @@ func getBaseImage(bo *options.BuildOptions) build.GetBase {
 			userAgent = bo.UserAgent
 		}
 		ropt := []remote.Option{
-			remote.WithAuthFromKeychain(authn.DefaultKeychain),
+			remote.WithAuthFromKeychain(keychain),
 			remote.WithUserAgent(userAgent),
 			remote.WithContext(ctx),
 		}

diff --git a/pkg/commands/deps.go b/pkg/commands/deps.go
@@ -26,7 +26,6 @@ import (
 	"path"
 	"path/filepath"
 
-	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
@@ -63,7 +62,7 @@ If the image was not built using ko, or if it was built without embedding depend
 
 			img, err := remote.Image(ref,
 				remote.WithContext(ctx),
-				remote.WithAuthFromKeychain(authn.DefaultKeychain),
+				remote.WithAuthFromKeychain(keychain),
 				remote.WithUserAgent(ua()))
 			if err != nil {
 				return err

diff --git a/pkg/commands/resolver.go b/pkg/commands/resolver.go
@@ -29,7 +29,6 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/mattmoor/dep-notify/pkg/graph"
 	"golang.org/x/sync/errgroup"
@@ -213,7 +212,7 @@ func makePublisher(po *options.PublishOptions) (publish.Interface, error) {
 		if po.Push {
 			dp, err := publish.NewDefault(repoName,
 				publish.WithUserAgent(userAgent),
-				publish.WithAuthFromKeychain(authn.DefaultKeychain),
+				publish.WithAuthFromKeychain(keychain),
 				publish.WithNamer(namer),
 				publish.WithTags(po.Tags),
 				publish.WithTagOnly(po.TagOnly),

diff --git a/vendor/cloud.google.com/go/LICENSE b/vendor/cloud.google.com/go/LICENSE