Forward access to the host credential/secret storage, to allow credential reuse and increased security

[Clockwork-Muse]

I would like some way to forward the host system's generic credential/secret storage into devcontainers, to make it available to command-line tools at minimum.

Currently, I've been messing with the GitHub cli for some experiments against my employer's enterprise org, which requires logging in. There's a few problems with this:

1. I have to log in separately on each devcontainer (I was working on both a producer and consumer side of a package, not something that would normally be combined).
2. GitHub rate limits logging in with the CLI, meaning I couldn't actually log in on the second devcontainer for multiple minutes.
3. The credentials will disappear if the container is rebuilt.

Now, there are ways to work around this, to an extent....

• I could persist the credentials for a container by adding a bind or volume mount, but;
  • This has to be added to each container. Volume mounts would be separated by container, so wouldn't solve shared credential concerns
  • Issues with permissions (not guaranteed matching UIDs)
  • Less secure than secret storage
  • You generally shouldn't use bind mounts on docker desktop on Windows.
• I could create a devcontainer feature with a volume mount, but;
  • More complicated than a simple devcontainer mount, but would allow credential re-use.
  • Issues with permissions (not guaranteed matching UIDs)
  • Some form of folder redirection or environment configuration would be required to account for different home directories.

Instead, it would be helpful if the host secret storage was proxied into the container, for use by various clis. This would be more helpful on Windows, given the extra layer otherwise required. Providing such a proxy would also mean that a separate connection may not be needed for each tool (although I'm less sure if it would be possible to get rid of the docker/git forwarding...).

[Clockwork-Muse]

I've just seen the declarative secrets addition to the spec (although vscode hasn't implemented support for it yet).

That would be usable for many things, if implemented (certainly GitHub CLI access would work), but I'm asking for something a bit more in depth, especially for tools that may not be installed on the host at all (so setting the secret value/existence would be happening from inside the devcontainer).

---

Come to think of it, I'm a little surprised there isn't a generic os-provided OAuth2 credential helper/manager by now. At least for some flows...