Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[pipelines] Docker logins for assets

See original GitHub issue

When using CDK Pipelines the autogenerated Assets action will build Docker images, and publish to the cdk-provided ECR. However if included Dockerfiles build on images in a non-public repository (e.g. an ECR in a different account), those builds will fail since the Assets action has no way of specifying sources to docker login in to.

Use Case

Prior to using Pipelines we’ve used a shared ECR in a dedicated account to both store our internal base images, as well as images built on top of those. A single docker login would cover both pull and push from that repo.

However when switching to Pipelines, the destination repo changes. Pipelines transparently handles login to to that, but provides no configuration option for docker registries that need to be logged in to prior to asset building.

Proposed Solution

Other

The error message from the Assets/DockerAsset1 CodeBuild project was:

Step 1/13 : FROM <account>.dkr.ecr.eu-west-1.amazonaws.com/...
| Get https://<account>.dkr.ecr.eu-west-1.amazonaws.com/...: no basic auth credentials

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:28
Comments:19 (8 by maintainers)

Top GitHub Comments

9reactions

toblicommented, Oct 26, 2020

Here’s the hack I added to my pipeline stack (after the pipeline was created) to get past this:

  private static addECRLogin (pipeline: CdkPipeline, sourceECRs: string[]) {
    for (const action of pipeline.stage('Assets')?.actions) {
      const actionProperties = action.actionProperties;
      if (actionProperties.actionName.startsWith('Docker')) {
        // workaround for https://github.com/aws/aws-cdk/issues/10999
        const publishAction = action as PublishAssetsAction;
        const commands: string[] = (publishAction as any).commands;
        for (const sourceECR of sourceECRs) {
          // NOTE: this makes the simplifying assumption that the sourceECR is in the same region as the pipeline
          const command = `aws ecr get-login-password --region ${Stack.of(pipeline).region} | docker login --username AWS --password-stdin ${sourceECR}`;
          if (!commands.includes(command)) {
            // login needs to happen before the asset publication (that's where docker images are built)
            commands.unshift(command);
          }
        }

        new Policy(pipeline, 'AllowECRLoginAndPull', {
          statements: [
            new PolicyStatement({
              actions: [
                'ecr:GetAuthorizationToken',
                'ecr:GetDownloadUrlForLayer',
                'ecr:BatchGetImage',
              ],
              resources: ['*'],
              sid: 'AllowECRLoginAndPull',
            }),
          ],
        }).attachToRole(actionProperties.role!);
      }
    }
  }

3reactions

toblicommented, Jan 24, 2021

@quincycs this issue arises when using aws-ecr-assets to build a Docker image as part of the pipeline. Cdk Assets will create a new Assets build pipeline step as an implementation detail. It’s for that the login step is needed.

Top Results From Across the Web

Run your CI/CD jobs in Docker containers - GitLab Docs

To run CI/CD jobs in a Docker container, you need to: Register a runner so that all jobs run in Docker containers. Do...

How to build a CI/CD pipeline with Docker - CircleCI

Instructions for building the Docker image can be found here: Dockerfile. The echo $DOCKER_PWD | docker login -u $DOCKER_LOGIN --password-stdin ...

Single Sign-on FAQs - Docker Documentation

Docker Single Sign-on (SSO) allows users to authenticate using their identity ... it's associated with access to the user's repositories, images, assets.

aws-cdk/aws-ecr-assets module - AWS Documentation

You can optionally pass build args to the docker build command by specifying the buildArgs property. It is recommended to skip hashing of...

Set up authentication for Docker | Artifact Registry ...

gcloud credential helper · To configure authentication with user credentials, run the following command: gcloud auth login · To configure authentication with ...