AWS ECR login creds are clobbered by pre-command about elastic-ci-stack-for-aws HOT 13 CLOSED

Seems like at a minimum we should have a conditional guard around deleting existing creds only if DOCKER_HUB_* is specified.

from elastic-ci-stack-for-aws.

I finally got around to testing this... Works perfectly, thank you! @toolmantim

from elastic-ci-stack-for-aws.

Oh man, it took me a while to figure this one out. I tried to docker login via the env script, as suggested in the README, but kept getting 403s... now I know why! 😉

My "env" file now contains the following 2 additional lines...

echo "Removing /etc/buildkite-agent/hooks/pre-command, as it messes with docker login"
rm /etc/buildkite-agent/hooks/pre-command
docker login ...

from elastic-ci-stack-for-aws.

Hrm, why do we do the login stuff in a pre-command hook rather than the environment hook?

from elastic-ci-stack-for-aws.

@lox I have no idea why it's in the pre-command hook, no reason we can't move it into the environment hook.

from elastic-ci-stack-for-aws.

I suspect I was trying to ensure that credentials from a past command couldn't be accidentally leaked to a subsequent command, but the env hook should do that fine.

from elastic-ci-stack-for-aws.

Doesn't the docker login command always look the same, i.e. could the hook not just support a generic login mechanism? I wouldn't mind the config cleanup, if I could provide docker credentials some other way...

From looking at the pre-command hook, email would need to be optional (it's deprecated with newer docker versions), and we would need a way to add the "repository service url".

We're using quay.io and the login command in the end looks like this: docker login -u username -p password quay.io.

from elastic-ci-stack-for-aws.

I just pushed changes for this to #127

@bforchhammer this would look like this now for quay.io:

export DOCKER_LOGIN_USER=username
export DOCKER_LOGIN_PASSWORD=password
export DOCKER_LOGIN_SERVER=quay.io

For Docker Hub it's simply:

export DOCKER_LOGIN_USER=username
export DOCKER_LOGIN_PASSWORD=password

For AWS ECR it's:

export AWS_ECR_LOGIN=true

For ECR registries in other accounts:

export AWS_ECR_LOGIN_REGISTRY_IDS=account-id-1,account-id-2

I should probably update the Readme to read like the above… with sub-headings for whichever registry you use.

from elastic-ci-stack-for-aws.

Awesome, great stuff @bforchhammer!

from elastic-ci-stack-for-aws.

Oh before I forget, please note that the actual env variable name in code is actually DOCKER_LOGIN_USER and not DOCKER_LOGIN_USERNAME... just in case anyone stumbles on this issue and tries to follow your instructions above ;-)

from elastic-ci-stack-for-aws.

@bforchhammer thanks!

from elastic-ci-stack-for-aws.

@lox how can i see the debug messages for env hooks . i have put docker login credential there and nothing is happenning , not sure how to debug if those scripts are getting invoked or not. i have put dummy export TEST='sample' to test but i can't even see that in environment tab on build interface

from elastic-ci-stack-for-aws.

Wanna send us an email at [email protected] with some context @singhrcode? Doesn't sound related to the above issue.

from elastic-ci-stack-for-aws.