This is a great question. It would be enormously helpful to folks who use dev containers if git-credential-manger credentials could be passed into docker containers.

I don't think there is going to be a simple bind-mount solution, because, as far as I can tell, GCM doesn't expose any sockets that can easily be forwarded.

VSCode is actually able to do this. https://code.visualstudio.com/remote/advancedcontainers/sharing-git-credentials#_using-a-credential-helper

That works perfectly, but as best I can tell they are using a custom solution that requires using their Dev Container extension in VSCode and containers set up by VSCode. So that won't work if you are using a custom dev container or have some other reason to want to forward GCM into Docker.

I would be extremely interested in talking to anyone aware of, or interested in developing, a solution to this. It is only going to become more of an issue as organizations move towards requiring MFA for git access.

BTW, you can use GCM inside a docker container (at least for Azure DevOps) if you use the device flow login. For example in .gitconfig:

	credentialStore = cache
	cacheOptions = --timeout 36000
	msauthFlow = devicecode
	azreposCredentialType = oauth

This will prompt you to go to a link and enter your device code and then do login there (sort of like when you setup your tv to use a streaming account)

But you will run into this issue of it storing the tokens in plaintext. Github issue. I'm not sure if that's a dealbreaker (might still be better than storing long-lived ssh keys), but wanted to put the info out there.

This is mostly a cross-post from an issue I raised with the vscode dev containers extension here, but its relevant (arguably more), to this discussion.

TLDR: I think I could build a solution if I could understand why i can't get the same auth flow to trigger on my host machine when I run git credential-manager get directly as when I call something like git pull which indirectly triggers the call to git credential helper.

More detail here --

I think I understand the basics of how to build a solution, though there are still some things I can't quite work out which are blocking me putting together a POC.

The basic idea would seem to be to install a simple git credential helper app on the container--call it helper-client--whose sole job is to take git credential commands, pass them to a unix socket, and get the response back from the socket, where the socket in question in bind mounted from the docker host.

On the host side, another service would be running--call it helper-server--that would listen on the socket on the host side, receive any git credential helper requests, pass them on to the git-credential-manager, get the response and pass it back into the socket.

The flow would be something like this:

[*******************container****************************]    |    [*********************************host**********************]
git command <--> git credential helper <--> helper-client <--> helper-server <--> git credential-manager [cmd] <--> gcm 

The helper-client side is fairly straightforward. Any python or node script that can write to a socket will do, and you just put that script as your "credential.helper" argument in the containers .gitconfig.

The helper-server is a little harder. Easy enough to have a service that listens to a socket, but what does it do with the command it receives? Commands from git credential helper will be either "get", "store", or "erase". Let's take "get" as the most common case. When helper-server receives a "get", it can pass it directly on to the host's git-credential-manager, by calling the git credential helper via the CLI as described here. Assuming the host's git is set up to use gcm that should work.

But I don't understand (a) how it can know which host and repo it should target, or (b) what the format of the get command should be to get it to do the correct useHttpPath config.

In particular, if i do something like echo -e "protocol=https\nhost=dev.azure.com\[MyOrg]n" | git credential-manager get I am not redirected to browser auth, even though that is what happens if i call git pull or the like.

Somehow the VS Code Dev Containers extension has made this work, but I can't figure out how...

I just remembered I haven't tried this yet! I'll do it early next week!

No worries; we have been using it daily for the last two months and it has worked great. Has definitely solved the problem of being able to access GCM from inside a docker container for us.

Feel free to raise any issues, thoughts, etc, on the github for that project. Thanks for taking a look!