Merge pull request #69 from buildkite-plugins/keithduncan/comment-ass…

…ume-role Add comment to the assume role query
buildkite-plugins · Aug 24, 2021 · 500a391 · 500a391
2 parents 38cd091 + 1caec26
commit 500a391
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -18,6 +18,17 @@ steps:
 
 If you want to log in to ECR on [another account](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html#IAM_allow_other_accounts):
 
+```yml
+steps:
+  - command: ./run_build.sh
+    plugins:
+      - ecr#v2.3.0:
+          login: true
+          account_ids: "0015615400570"
+          region: "ap-southeast-2"
+```
+
+If you need to assume a role to perform that login:
 
 ```yml
 steps:
@@ -27,6 +38,8 @@ steps:
           login: true
           account-ids: "0015615400570"
           region: "ap-southeast-2"
+          assume_role:
+            role_arn: "arn:aws:iam::0015615400570:role/demo"
 ```
 
 ## Options
@@ -51,6 +64,10 @@ Set a specific region for ECR, defaults to `AWS_DEFAULT_REGION` on the agent, or
 
 Retries login after a delay N times. Defaults to 0.
 
+### `assume-role` (optional)
+
+Assume an AWS IAM role before ECR login. Supports `role-arn` and `duration-seconds` (optional) per the [associated AWS CLI command.](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html)
+
 ## License
 
 MIT (see [LICENSE](LICENSE))
diff --git a/hooks/environment b/hooks/environment
@@ -160,7 +160,30 @@ function login() {
   fi
 }
 
-# For logging into the current AWS account’s registry
+function assume_role_for_ecr_login() {
+  local export_credentials
+
+  # This query creates an outer array, then multiple inner arrays of [key,value]
+  # pairs. Then it projects the outer array, and joins each inner array to form
+  # a key=value string. Printing the final array with --output text results in a
+  # string of the key=value pairs joined by space characters.
+  export_credentials="$(aws sts assume-role \
+    --role-arn "${BUILDKITE_PLUGIN_ECR_ASSUME_ROLE_ROLE_ARN}" \
+    --role-session-name "ecr-login-buildkite-plugin" \
+    --duration-seconds "${BUILDKITE_PLUGIN_ECR_ASSUME_ROLE_DURATION_SECONDS:-3600}" \
+    --output text \
+    --query "[['AWS_ACCESS_KEY_ID',Credentials.AccessKeyId],['AWS_SECRET_ACCESS_KEY',Credentials.SecretAccessKey],['AWS_SESSION_TOKEN',Credentials.SessionToken]][*].join(\`=\`,@)")"
+
+  #shellcheck disable=SC2086
+  export ${export_credentials?}
+}
+
 if [[ "${BUILDKITE_PLUGIN_ECR_LOGIN:-}" =~ ^(true|1)$ ]] ; then
-  login
+  (
+    if [[ -n "${BUILDKITE_PLUGIN_ECR_ASSUME_ROLE_ROLE_ARN:-}" ]]; then
+      assume_role_for_ecr_login
+    fi
+
+    login
+  )
 fi
diff --git a/plugin.yml b/plugin.yml
@@ -18,5 +18,13 @@ configuration:
       type: boolean
     region:
       type: string
+    assume-role:
+      type: object
+      properties:
+        role-arn:
+          type: string
+        duration-seconds:
+          type: number
+          default: 3600
   required:
-    - login
+    - login