Home > Mobile >  Can I use amazon ecr credential helper inside a docker container if its installed on my EC2 VM?
Can I use amazon ecr credential helper inside a docker container if its installed on my EC2 VM?

Time:11-10

I've installed the credential helper GitHub on our ec2 instance and got it working for my account. What I want to do is to use it during my GitLab CI/CD pipeline, where my gitlab-runner is actually running inside a docker container, and spawns new containers for the build, test & deploy phases. This is what our test phase looks like now:

image: docker:stable
run_tests:
  stage: test
  tags:
    - test
  before_script:
    - echo "Starting tests for CI_COMMIT_SHA=$CI_COMMIT_SHA"
    - docker run --rm mikesir87/aws-cli aws ecr get-login-password | docker login --username AWS --password-stdin $IMAGE_URL
  script:
    - docker run --rm $IMAGE_URL:$CI_COMMIT_SHA npm test

This works fine, but what I'd like to see if I could get working is the following:

image: docker:stable
run_tests:
  image: $IMAGE_URL:$CI_COMMIT_SHA
  stage: test
  tags:
    - test
  script:
    - npm test

When I try the 2nd option it I get the no basic auth credentials. So I'm wondering if there is a way to get the credential helper to map to the docker container without having to have the credential helper installed on the image itself.

CodePudding user response:

Configure your runner to use the credential helper with DOCKER_AUTH_CONFIG environment variable. A convenient way to do this is to bake it all into your image.

So, your gitlab-runner image should include the the docker-credential-ecr-login binary (or you should mount it in from the host).

FROM gitlab/gitlab-runner:v14.3.2
COPY bin/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login

Then when you call gitlab-runner register pass in the DOCKER_AUTH_CONFIG environment variable using --env flag as follows:

AUTH_ENV="DOCKER_AUTH_CONFIG={ \"credsStore\": \"ecr-login\" }"
gitlab-runner register \
  --non-interactive \
  ...
  --env "${AUTH_ENV}" \
  --env "AWS_SDK_LOAD_CONFIG=true" \
  ...

You can also set this equivalently in the config.toml, instance CI/CD variables, or anywhere CI/CD variables are set (group, project, yaml, trigger, etc).

As long as your EC2 instance (or ECS task role if running the gitlab-runner as an ECS task) has permission to pull the image, your jobs will be able to pull down images from ECR declared in image: sections.

However this will NOT necessarily let you automatically pull images using docker-in-docker (e.g. invoking docker pull within the script: section of a job). This can be configured (as it seems you already have working), but may require additional setup, depending on your runner and IAM configuration.

  • Related