Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws-ecr-assets): Allow docker image assets to access private data in builds #12062

Closed
1 of 2 tasks
deadcore opened this issue Dec 14, 2020 · 9 comments
Closed
1 of 2 tasks
Labels
@aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md p2

Comments

@deadcore
Copy link

deadcore commented Dec 14, 2020

The docker build command has a --ssh option to allow the Docker Engine to forward SSH agent connections. This is useful if you have private assets stored somewhere which are required in the build (for example private git repositories referenced by cargo)

The proposal is to allow the flag --ssh with a value to passed to the docker build command outside of build_args (which CDK already supports but does not support this use case). For example my build command would look like this:

docker build --ssh default -t foobar .

Use Case

This is useful if you have private assets stored somewhere which are required in the build (for example private git repositories referenced by cargo)

Cargo for example looks like this:

[package]
name = "my_project"
[dependencies]
my_lib = { git = "ssh://git@github.com/deadcore/my_lib.git", tag = "my_lib_0.1.0_47330eb"  }

Proposed Solution

The simplest thought I could think of is:

const dockerImage = new DockerImageAsset(this, 'docker-image', {
    directory: path.join(__dirname, ".."),
    ssh_forward: true,
});

or to allow full support of the SSH forwarding ability in Docker:

const dockerImage = new DockerImageAsset(this, 'docker-image', {
    directory: path.join(__dirname, ".."),
    ssh_forward: {
        'projecta': './projecta.pem',
        'projectb': './projectb.pem'
    },
});

Other

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

@deadcore deadcore added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 14, 2020
@github-actions github-actions bot added the @aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets label Dec 14, 2020
@deadcore
Copy link
Author

Any thoughts on this?

@eladb
Copy link
Contributor

eladb commented Feb 15, 2021

We will happily accept a contribution for this. Sounds reasonable to support.

@eladb eladb added effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md p2 labels Feb 15, 2021
@eladb eladb removed their assignment Feb 25, 2021
@ryparker ryparker removed the needs-triage This issue or PR still needs to be triaged. label Jun 2, 2021
@github-actions
Copy link

github-actions bot commented Jun 2, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 2, 2022
@schlichtanders
Copy link

@deadcore can you explain why build_args are not enough?

build_args (which CDK already supports but does not support this use case)

@github-actions github-actions bot removed the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 7, 2022
@christiangaetano
Copy link

christiangaetano commented Jun 7, 2022

@deadcore can you explain why build_args are not enough?

build_args (which CDK already supports but does not support this use case)

The ultimate goal here is not to consume an SSH key as a variable in a Dockerfile, but rather to define the optional --ssh flag used with the docker build command. This is a new flag that allows Docker to securely access host SSH credentials at build time.

Using build_args, you would get something like this:

docker build --build-arg --ssh=default

Desired command is:

docker build --ssh default

@graydenshand
Copy link
Contributor

graydenshand commented Aug 22, 2023

This was implemented in #26356

That said, I'm not able to get this to work with v2.92.0. Deploying with cdk deploy -v prints the generate docker build command, and it appears that it doesn't include the new --ssh param.

        ecr_assets.DockerImageAsset(
            self,
            "my-image",
            build_ssh="default",
            platform=ecr_assets.Platform.LINUX_AMD64,
            directory=".",
        )

produces

[16:10:51] my-stack:  build: Building Docker image at ../my-stack/cdk.out/asset.09bf1af386bccfd31cf641f6ce3ae0dbfebcfe5d1656e017e2b70e7879c2d89b
[16:10:51] my-stack:  debug: docker build --tag cdkasset-09bf1af386bccfd31cf641f6ce3ae0dbfebcfe5d1656e017e2b70e7879c2d89b --platform linux/amd64 .

On aws-cdk@2.92.0 and python aws-cdk-lib==2.92.0.

Heads up @JackWBoynton @mrgrain

@JackWBoynton
Copy link
Contributor

Thanks for the catch! Have a PR for the fix

@ashishdhingra
Copy link
Contributor

PR #26846 merged. Closing this issue. Feel free to open if issue still exist.

Copy link

github-actions bot commented Jun 6, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. good first issue Related to contributions. See CONTRIBUTING.md p2
Projects
None yet
Development

No branches or pull requests

8 participants