aws icon indicating copy to clipboard operation
aws copied to clipboard

Published 20 hours ago verified publisher icon sous-chefs

Create ecr_registry resource to login to ecr

Open chrisferry opened this issue 8 years ago • 15 comments

Referencing https://github.com/chef-cookbooks/docker/issues/660 To access docker images in ECR we need to login using awscli. See https://gist.github.com/chrisferry/f716d3e74d534598eaa5 for an example.

chrisferry avatar Feb 29 '16 20:02 chrisferry

@chrisferry Can you please explain how to use this "https://gist.github.com/chrisferry/f716d3e74d534598eaa5 " ?

rashidmahmood avatar Mar 02 '17 11:03 rashidmahmood

Here is a workaround for this issue.

  1. Setup your access keys to your node.
  2. Add this to your recipe. It will simply login to ECR.
    cmd = "aws ecr get-login --region us-east-1" value = #{cmd} list = value.split(" ")

docker_registry 'AWS ECR registry' do serveraddress 'https://xyz.ecr.us-east-1.amazonaws.com' username 'AWS' password "#{list[5]}" email 'none' end

rashidmahmood avatar Mar 16 '17 14:03 rashidmahmood

I'd like to begin work on this feature (have a dire use case for it), but it would require the aws cookbook to depend on the docker cookbook to implement fully. In the interest of keeping aws lightweight, I'm thinking of creating a separate aws_ecr cookbook with nothing but an aws_ecr_registry LWRP, but will defer that decision to this cookbook's maintainers.

don-code avatar Jun 06 '17 14:06 don-code

+1 to this. Staggering that Chef has no native resource to be able to log into ECR. What year is this?

petewilcock avatar Aug 09 '17 15:08 petewilcock

@petewilcock 2018 apparently.

turtleDev avatar Sep 26 '18 08:09 turtleDev

@turtleDev Greetings from 2019.

charlieoleary avatar May 05 '19 22:05 charlieoleary

Are you all blocked or you just want a Chef resource?

If blocked, I don't mind providing the way to do it.

Ping me and I'll post solution here 👨‍🍳

scalp42 avatar May 21 '19 23:05 scalp42

@rashidmahmood already demonstrated how to work around the issue.

But here's the thing, the cookbook should already provide a resource for ECR, since that's the 'proper' way of doing it.

turtleDev avatar May 24 '19 09:05 turtleDev

@turtleDev I don't think it's a good workaround as you refresh the token within the valid interval for no reason as well as having the username hardcoded (creds are base64 encoded with the username inside).

But sure if it works 🤷‍♂

scalp42 avatar May 27 '19 20:05 scalp42

The username for the ECR login never changes as far as I’m aware, so there’s no huge issue with it being hard-coded. As far as refreshing the token, since it’s only valid for a relatively short amount of time (compared to the standard Docker login), you should probably just refresh it when your client runs to avoid any pitfalls.

Either way, the other solutions seemed to be missing things or weren’t as flexible as I’d hoped. I ended up writing a quick recipe that works with the Docker cookbook and allows me to login during the run. I’ll share the gist if anyone wants to use it. It’s pretty adaptable and could be converted into a resource.

charlieoleary avatar May 28 '19 03:05 charlieoleary

Have a look at: https://github.com/awslabs/amazon-ecr-credential-helper

scalp42 avatar May 28 '19 06:05 scalp42

@scalp42

don't think it's a good workaround as you refresh the token within the valid interval for no reason as well as having the username hardcoded (creds are base64 encoded with the username inside).

I totally agree.

But rather than having another workaround, I'd rather have a resource to work with.

That said, I think it's a good idea for you to post your work around here anyway, if you think it solves the problem better than the current fix. It maybe useful for other people who ran into the same problem as the rest of us.

turtleDev avatar May 28 '19 11:05 turtleDev

@scalp42 Ah, that's a great callout, actually, and a much better solution. I always forget about the credential helper (despite using it elsewhere).

charlieoleary avatar May 28 '19 17:05 charlieoleary

@charlieoleary I think so too as well.

  • install golang
  • download or install the helper with the go get
  • use a file resource in Chef with target /root/.docker/config.json
  • dump the content of a hash of attributes for your registries (repositories if ECR) with JSON.dump: 
    file '/root/.docker/config.json' do
			content JSON.pretty_generate(node['my_registries'].to_h, quirks_mode: true)
end
  • hint: you might want to read the content of /root/.docker/config.json first and then deep merge your attributes to be safe

Bonus point is that you can also have ECR, Quay.io etc working at the same time in the my_registries hash and decide if you want to turn a provider on/off with a feature flag:

if node[cookbook_name][recipe_name]['my_registries']['quay']['enabled']
  current_config['auths']['quay.io'] = { 
			'auth' => ::MyLib::KMS.decrypt(node[cookbook_name][recipe_name]['my_registries']['quay']['auth']) 
										}
else
  current_config['auths'].delete('quay.io')
end

I just don't think registries auth have much to do with Chef resources to be transparent but if it works for you 🤷‍♂

cc @turtleDev

scalp42 avatar May 29 '19 18:05 scalp42

Yeah, totally. The previous use case was to avoid persisting a DockerHub / Quay / whatever login on each instance for anyone to use and making that only available to Chef. The docker cookbook made this workable with the docker_registry resource. This is less of an issue with ECR since it’s handled with IAM roles, so the logins can be handled in a much more flexible manner.

charlieoleary avatar May 30 '19 02:05 charlieoleary