diff --git a/README.md b/README.md index 1781a36..f484198 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ Either a string, or a list of strings with AWS account IDs that correspond to th ### `no-include-email` (optional) +> Obsolete if using AWS CLI version 1.17.10 or newer. + Add `--no-include-email` to ecr get-login. Required for docker 17.06+, but needs aws-cli 1.11.91+. ### `region` (optional) @@ -66,8 +68,16 @@ Retries login after a delay N times. Defaults to 0. ### `assume-role` (optional) +> Updates AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN environment variables. + Assume an AWS IAM role before ECR login. Supports `role-arn` and `duration-seconds` (optional) per the [associated AWS CLI command.](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html) +### `profile` (optional) + +> Requires AWS CLI version 1.17.10 or greater. + +Use a different AWS profile from the default during ECR login. + ## License MIT (see [LICENSE](LICENSE)) diff --git a/hooks/environment b/hooks/environment index 4639c99..8ec66ee 100755 --- a/hooks/environment +++ b/hooks/environment @@ -140,6 +140,13 @@ function login_using_aws_ecr_get_login_password() { echo >&2 "AWS region should be specified via plugin config or AWS_DEFAULT_REGION environment." echo >&2 "Defaulting to $region for legacy compatibility." fi + + login_args=("--region" "${region}") + + if [[ -n "${BUILDKITE_PLUGIN_ECR_PROFILE:-}" ]] ; then + login_args+=("--profile" "${BUILDKITE_PLUGIN_ECR_PROFILE}") + fi + account_ids=() while IFS='' read -r line; do account_ids+=("$line"); done < <(plugin_read_list ACCOUNT_IDS | tr "," "\n") # check if account_ids is empty, or only contains an empty string. @@ -153,7 +160,7 @@ function login_using_aws_ecr_get_login_password() { fi # amend the ~~~ log heading with ^^^ to add the AWS account IDs echo "^^^ Authenticating with AWS ECR in $region for ${account_ids[*]} :ecr: :docker:" - local password; password="$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws --region "$region" ecr get-login-password)" + local password; password="$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws ${login_args[@]+"${login_args[@]}"} ecr get-login-password)" for account_id in "${account_ids[@]}"; do retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin "$account_id.dkr.ecr.$region.amazonaws.com" <<< "$password" done diff --git a/plugin.yml b/plugin.yml index 95d59d8..4b68247 100644 --- a/plugin.yml +++ b/plugin.yml @@ -26,5 +26,7 @@ configuration: duration-seconds: type: number default: 3600 + profile: + type: string required: - login diff --git a/tests/run.bats b/tests/run.bats index 0c84bae..7a68eaa 100644 --- a/tests/run.bats +++ b/tests/run.bats @@ -6,6 +6,31 @@ load '/usr/local/lib/bats/load.bash' # export AWS_STUB_DEBUG=/dev/tty +@test "ECR login; configured account ID, configured region, configured profile" { + export BUILDKITE_PLUGIN_ECR_LOGIN=true + export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=321321321321 + export BUILDKITE_PLUGIN_ECR_REGION=ap-southeast-2 + export BUILDKITE_PLUGIN_ECR_PROFILE=ecr + + stub aws \ + "--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \ + "--region ap-southeast-2 --profile ecr ecr get-login-password : echo hunter2" + + stub docker \ + "login --username AWS --password-stdin 321321321321.dkr.ecr.ap-southeast-2.amazonaws.com : cat > /tmp/password-stdin ; echo logging in to docker" + + run "$PWD/hooks/environment" + + assert_success + assert_output --partial "~~~ Authenticating with AWS ECR :ecr: :docker:" + assert_output --partial "^^^ Authenticating with AWS ECR in ap-southeast-2 for 321321321321 :ecr: :docker:" + assert_output --partial "logging in to docker" + [[ $(cat /tmp/password-stdin) == "hunter2" ]] + + unstub aws + unstub docker +} + @test "ECR login; configured account ID, configured region" { export BUILDKITE_PLUGIN_ECR_LOGIN=true export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=321321321321