aws-toolkit-azure-devops icon indicating copy to clipboard operation
aws-toolkit-azure-devops copied to clipboard

Published 20 hours ago verified publisher icon aws

ECR tasks should have the option to logout on completion?

Open ppejovic opened this issue 5 years ago • 1 comments

Is your feature request related to a problem? Please describe.

Using the configured AWS Service Connection credentials, the ECR tasks (push and pull) will perform a docker login which results in credentials being cached in the docker config of the agent user at ~/.docker/config.json. No logout is subsequently performed. For self-hosted agents, which may not be ephemeral, subsequent executions of unrelated pipelines can use these cached credentials to perform ECR operations. Aside from potentially destructive operations, some docker tasks integrating with ECR which don't use the AWS-provided ECR Push/Pull tasks may behave unpredictably depending on whether a previous pipeline using the ECR Push/Pull tasks has been executed.

Describe the solution you'd like

Ideally the ECR Push/Pull tasks could do a docker logout in a post-job execution step at the end of the pipeline execution. Some considerations though:

  • There could be multiple ECR tasks in a pipeline. Would each one perform a logout? Is this an idempotent operation, i.e. do subsequent logouts complete without an exception? The post-job execution step could parse the docker config.json to determine if a logout is required.
  • Do some customers have maintenance processes to log their agent accounts in to ECR? Having the ECR tasks perform a logout could disrupt pipelines that depend on these processes. The ECR tasks could track whether they had to perform a docker login and only logout if they were responsible, though this doesn't look easy to track (link). I think I'm less concerned here as I would say having cached credentials on disk only for the duration of the pipeline execution would be a better security practice and customers could look at an alternative solution like amazon-ecr-credential-helper.

Describe alternatives you've considered

Having our own custom process injected into the pipelines to perform a docker logout at the end of the pipeline execution.

Additional context

Azure DevOps Server 2019.1.1 with self-host Azure Pipeline Agents v2.168.2

ppejovic avatar May 28 '20 16:05 ppejovic

The selfhosted scenario was not considered when these tasks were written, this makes sense to add as an option

hunterwerlla avatar Jun 12 '20 14:06 hunterwerlla