Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-ecr-assets): Allow docker image assets to access private data in builds

See original GitHub issue

The docker build command has a --ssh option to allow the Docker Engine to forward SSH agent connections. This is useful if you have private assets stored somewhere which are required in the build (for example private git repositories referenced by cargo)

The proposal is to allow the flag --ssh with a value to passed to the docker build command outside of build_args (which CDK already supports but does not support this use case). For example my build command would look like this:

docker build --ssh default -t foobar .

Use Case

This is useful if you have private assets stored somewhere which are required in the build (for example private git repositories referenced by cargo)

Cargo for example looks like this:

[package]
name = "my_project"
[dependencies]
my_lib = { git = "ssh://git@github.com/deadcore/my_lib.git", tag = "my_lib_0.1.0_47330eb"  }

Proposed Solution

The simplest thought I could think of is:

const dockerImage = new DockerImageAsset(this, 'docker-image', {
    directory: path.join(__dirname, ".."),
    ssh_forward: true,
});

or to allow full support of the SSH forwarding ability in Docker:

const dockerImage = new DockerImageAsset(this, 'docker-image', {
    directory: path.join(__dirname, ".."),
    ssh_forward: {
        'projecta': './projecta.pem',
        'projectb': './projectb.pem'
    },
});

Other

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:5 (1 by maintainers)

Top GitHub Comments

5reactions

christiangaetanocommented, Jun 7, 2022

@deadcore can you explain why build_args are not enough?

build_args (which CDK already supports but does not support this use case)

The ultimate goal here is not to consume an SSH key as a variable in a Dockerfile, but rather to define the optional --ssh flag used with the docker build command. This is a new flag that allows Docker to securely access host SSH credentials at build time.

Using build_args, you would get something like this:

docker build --build-arg --ssh=default

Desired command is:

docker build --ssh default

3reactions

eladbcommented, Feb 15, 2021

We will happily accept a contribution for this. Sounds reasonable to support.

Top Results From Across the Web

aws-cdk/aws-ecr-assets module - AWS Documentation

This module allows bundling Docker images as assets. Images from Dockerfile. Images are built from a local Docker context directory (with a Dockerfile...

aws-cdk.aws-ecr-assets - Python Package Health Analysis

This module allows bundling Docker images as assets. Images from Dockerfile. Images are built from a local Docker context directory (with a Dockerfile...

Manage sensitive data with Docker secrets

You can use secrets to manage any sensitive data which a container needs at runtime but you don't ... see Build support for...

aws cdk push image to ecr - Stack Overflow

AWS CDK depricated the repositoryName property on DockerImageAsset . There are a few issues on GitHub referencing the problem. See this ...

Use kaniko to build Docker images - GitLab Docs

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. kaniko solves two problems with using...