From d2b6ec6f69145f6d5024a6be46030ad04371b813 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Wed, 19 Oct 2022 02:36:54 -0300 Subject: [PATCH 1/6] Added ability to log in to public.ecr.aws --- hooks/environment | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/hooks/environment b/hooks/environment index 8ec66ee..ddd2481 100755 --- a/hooks/environment +++ b/hooks/environment @@ -160,9 +160,20 @@ function login_using_aws_ecr_get_login_password() { fi # amend the ~~~ log heading with ^^^ to add the AWS account IDs echo "^^^ Authenticating with AWS ECR in $region for ${account_ids[*]} :ecr: :docker:" - local password; password="$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws ${login_args[@]+"${login_args[@]}"} ecr get-login-password)" + + local password; + local public_password; for account_id in "${account_ids[@]}"; do - retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin "$account_id.dkr.ecr.$region.amazonaws.com" <<< "$password" + if [[ $account_id == "public.ecr.aws" ]]; then + # special AWS command with us-east-1 region + echo "Ignoring region for $account_id and forcing us-east-1" + public_password="$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws --region us-east-1 ecr-public get-login-password)" + retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin public.ecr.aws <<< "$public_password" + else + # it is only necessary to get the password once + password=${password:-"$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws ${login_args[@]+"${login_args[@]}"} ecr get-login-password)"} + retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin "$account_id.dkr.ecr.$region.amazonaws.com" <<< "$password" + fi done } From 85b84beb1ca83b180d52530b5a0bad82f51b2498 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Wed, 19 Oct 2022 02:38:07 -0300 Subject: [PATCH 2/6] Added test on public.ecr.aws --- tests/run.bats | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/tests/run.bats b/tests/run.bats index 3481ef8..a636784 100644 --- a/tests/run.bats +++ b/tests/run.bats @@ -80,6 +80,7 @@ load "${BATS_PLUGIN_PATH}/load.bash" unstub docker rm /tmp/password-stdin } + @test "ECR login; configured account ID, AWS_DEFAULT_REGION set" { export BUILDKITE_PLUGIN_ECR_LOGIN=true export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=421321321321 @@ -102,6 +103,7 @@ load "${BATS_PLUGIN_PATH}/load.bash" unstub docker rm /tmp/password-stdin } + @test "ECR login; configured account ID, no region specified defaults to us-east-1" { export BUILDKITE_PLUGIN_ECR_LOGIN=true export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=421321321321 @@ -126,6 +128,7 @@ load "${BATS_PLUGIN_PATH}/load.bash" unstub docker rm /tmp/password-stdin } + @test "ECR login; multiple account IDs" { export BUILDKITE_PLUGIN_ECR_LOGIN=true export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0=111111111111 @@ -153,6 +156,7 @@ load "${BATS_PLUGIN_PATH}/load.bash" rm /tmp/password-stdin-0 rm /tmp/password-stdin-1 } + @test "ECR login; multiple comma-separated account IDs" { export BUILDKITE_PLUGIN_ECR_LOGIN=true export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=333333333333,444444444444 @@ -520,3 +524,28 @@ load "${BATS_PLUGIN_PATH}/load.bash" unstub aws unstub docker } + +@test "ECR login; public registry even in other regions" { + export BUILDKITE_PLUGIN_ECR_LOGIN=true + export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=public.ecr.aws + export AWS_DEFAULT_REGION=us-west-2 + + stub aws \ + "--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \ + "--region us-east-1 ecr-public get-login-password : echo public" + + stub docker \ + "login --username AWS --password-stdin public.ecr.aws : cat > /tmp/password-stdin ; echo logging in to docker" + + + run "$PWD/hooks/environment" + + assert_success + assert_output --partial "logging in to docker" + assert_equal "public" "$(cat /tmp/password-stdin)" + assert_failure + + unstub aws + unstub docker + rm /tmp/password-stdin +} \ No newline at end of file From e8e4e1b7adc31f8b0c245f1a5956e72c654b9676 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Wed, 19 Oct 2022 02:41:59 -0300 Subject: [PATCH 3/6] Document public registry support --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 99008ec..cdb8825 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,8 @@ Whether to login to your account's ECR. Either a string, or a list of strings with AWS account IDs that correspond to the Amazon ECR registries that you want to log in to. Make sure to quote these if they start with a 0. +You can use the literal `public.ecr.aws` as a value to authenticate against AWS ECR public registries. + ### `no-include-email` (optional) > Obsolete if using AWS CLI version 1.17.10 or newer. From a2f8f374643deef55485fafc59881557e18f9971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Wed, 19 Oct 2022 18:10:20 -0300 Subject: [PATCH 4/6] Updated version for upcoming release --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cdb8825..8051091 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This will login docker to ECR prior to running your script. steps: - command: ./run_build.sh plugins: - - ecr#v2.6.0: + - ecr#v2.7.0: login: true ``` @@ -22,7 +22,7 @@ If you want to log in to ECR on [another account](https://docs.aws.amazon.com/Am steps: - command: ./run_build.sh plugins: - - ecr#v2.6.0: + - ecr#v2.7.0: login: true account_ids: "0015615400570" region: "ap-southeast-2" @@ -34,7 +34,7 @@ If you need to assume a role to perform that login: steps: - command: ./run_build.sh plugins: - - ecr#v2.6.0: + - ecr#v2.7.0: login: true account-ids: "0015615400570" region: "ap-southeast-2" From 00ed6733dfcecc7f9447268b58cc1b40d2f1415d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Wed, 19 Oct 2022 18:31:43 -0300 Subject: [PATCH 5/6] Added warning with ECR Credential helper (thanks @tigris) --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8051091..ba02cc7 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ Either a string, or a list of strings with AWS account IDs that correspond to th You can use the literal `public.ecr.aws` as a value to authenticate against AWS ECR public registries. +:warning: If you are using [ECR Credential Helper](https://github.com/awslabs/amazon-ecr-credential-helper/) in your docker configuration it is possible you have to add `https://` to your account IDs to prevent an error (see the [corresponding bug report](https://github.com/docker/cli/issues/3665) for more information). + ### `no-include-email` (optional) > Obsolete if using AWS CLI version 1.17.10 or newer. From 65d4f08c73915d28cd19966e3c5c2324f20d445f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mat=C3=ADas=20A=2E=20Bellone?= Date: Wed, 19 Oct 2022 18:35:15 -0300 Subject: [PATCH 6/6] Remove failure assert I used for testing :facepalm: --- tests/run.bats | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/run.bats b/tests/run.bats index a636784..d10b6bf 100644 --- a/tests/run.bats +++ b/tests/run.bats @@ -543,7 +543,6 @@ load "${BATS_PLUGIN_PATH}/load.bash" assert_success assert_output --partial "logging in to docker" assert_equal "public" "$(cat /tmp/password-stdin)" - assert_failure unstub aws unstub docker