Merge pull request #88 from buildkite-plugins/toote_public_ecr

Support for public ECR
buildkite-plugins · Oct 20, 2022 · a68ba7d · a68ba7d
2 parents d450518 + 65d4f08
commit a68ba7d
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ This will login docker to ECR prior to running your script.
 steps:
   - command: ./run_build.sh
     plugins:
-      - ecr#v2.6.0:
+      - ecr#v2.7.0:
           login: true
 ```
 
@@ -22,7 +22,7 @@ If you want to log in to ECR on [another account](https://docs.aws.amazon.com/Am
 steps:
   - command: ./run_build.sh
     plugins:
-      - ecr#v2.6.0:
+      - ecr#v2.7.0:
           login: true
           account_ids: "0015615400570"
           region: "ap-southeast-2"
@@ -34,7 +34,7 @@ If you need to assume a role to perform that login:
 steps:
   - command: ./run_build.sh
     plugins:
-      - ecr#v2.6.0:
+      - ecr#v2.7.0:
           login: true
           account-ids: "0015615400570"
           region: "ap-southeast-2"
@@ -52,6 +52,10 @@ Whether to login to your account's ECR.
 
 Either a string, or a list of strings with AWS account IDs that correspond to the Amazon ECR registries that you want to log in to. Make sure to quote these if they start with a 0.
 
+You can use the literal `public.ecr.aws` as a value to authenticate against AWS ECR public registries.
+
+:warning: If you are using [ECR Credential Helper](https://github.com/awslabs/amazon-ecr-credential-helper/) in your docker configuration it is possible you have to add `https://` to your account IDs to prevent an error (see the [corresponding bug report](https://github.com/docker/cli/issues/3665) for more information).
+
 ### `no-include-email` (optional)
 
 > Obsolete if using AWS CLI version 1.17.10 or newer.

diff --git a/hooks/environment b/hooks/environment
@@ -160,9 +160,20 @@ function login_using_aws_ecr_get_login_password() {
   fi
   # amend the ~~~ log heading with ^^^ to add the AWS account IDs
   echo "^^^ Authenticating with AWS ECR in $region for ${account_ids[*]} :ecr: :docker:"
-  local password; password="$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws ${login_args[@]+"${login_args[@]}"} ecr get-login-password)"
+
+  local password;
+  local public_password;
   for account_id in "${account_ids[@]}"; do
-    retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin "$account_id.dkr.ecr.$region.amazonaws.com" <<< "$password"
+    if [[ $account_id == "public.ecr.aws" ]]; then
+      # special AWS command with us-east-1 region 
+      echo "Ignoring region for $account_id and forcing us-east-1"
+      public_password="$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws --region us-east-1 ecr-public get-login-password)"
+      retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin public.ecr.aws <<< "$public_password"
+    else
+      # it is only necessary to get the password once
+      password=${password:-"$(retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" aws ${login_args[@]+"${login_args[@]}"} ecr get-login-password)"}
+      retry "${BUILDKITE_PLUGIN_ECR_RETRIES:-0}" --with-stdin docker login --username AWS --password-stdin "$account_id.dkr.ecr.$region.amazonaws.com" <<< "$password"
+    fi
   done
 }
 

diff --git a/tests/run.bats b/tests/run.bats
@@ -80,6 +80,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   unstub docker
   rm /tmp/password-stdin
 }
+
 @test "ECR login; configured account ID, AWS_DEFAULT_REGION set" {
   export BUILDKITE_PLUGIN_ECR_LOGIN=true
   export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=421321321321
@@ -102,6 +103,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   unstub docker
   rm /tmp/password-stdin
 }
+
 @test "ECR login; configured account ID, no region specified defaults to us-east-1" {
   export BUILDKITE_PLUGIN_ECR_LOGIN=true
   export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=421321321321
@@ -126,6 +128,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   unstub docker
   rm /tmp/password-stdin
 }
+
 @test "ECR login; multiple account IDs" {
   export BUILDKITE_PLUGIN_ECR_LOGIN=true
   export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0=111111111111
@@ -153,6 +156,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   rm /tmp/password-stdin-0
   rm /tmp/password-stdin-1
 }
+
 @test "ECR login; multiple comma-separated account IDs" {
   export BUILDKITE_PLUGIN_ECR_LOGIN=true
   export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=333333333333,444444444444
@@ -520,3 +524,27 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   unstub aws
   unstub docker
 }
+
+@test "ECR login; public registry even in other regions" {
+  export BUILDKITE_PLUGIN_ECR_LOGIN=true
+  export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS=public.ecr.aws
+  export AWS_DEFAULT_REGION=us-west-2
+
+  stub aws \
+    "--version : echo aws-cli/2.0.0 Python/3.8.1 Linux/5.5.6-arch1-1 botocore/1.15.3" \
+    "--region us-east-1 ecr-public get-login-password : echo public"
+
+  stub docker \
+    "login --username AWS --password-stdin public.ecr.aws : cat > /tmp/password-stdin ; echo logging in to docker"
+
+
+  run "$PWD/hooks/environment"
+
+  assert_success
+  assert_output --partial "logging in to docker"
+  assert_equal "public" "$(cat /tmp/password-stdin)"
+
+  unstub aws
+  unstub docker
+  rm /tmp/password-stdin
+}