feat(cdk-assets): externally-configured Docker credentials #15290

njlynch · 2021-06-24T10:52:53Z

Currently, cdk-assets does a single docker login with credentials fetched
from ECR's getAuthorizationToken API. This enables access to (typically) the
assets in the environment's ECR repo (*--container-assets-*).

A pain point for users today is throttling when using images from other sources,
especially from DockerHub when using unauthenticated calls.

This change introduces a new configuration file at a well-known location (and
overridable via the CDK_DOCKER_CREDS_FILE environment variable), which allows
specifying per-domain login credentials via either the default ECR auth tokens
or via a secret in SecretsManager.

If the credentials file is present, a Docker credential helper
(docker-credential-cdk-assets) will be set up for each of the configured
domains, and used for the docker build commands to enable fetching images from
both DockerHub or configured ECR repos. Then the "normal" credentials will be
assumed for the final publishing step. For backwards compatibility, if no
credentials file is present, the existing docker login will be done prior to
the build step as usual.

This PR will be shortly followed by a corresponding PR for the cdk pipelines
library to enable users to specify registries and credentials to be fed into
this credentials file during various stages of the pipeline (e.g., build/synth,
self-update, and asset publishing).

Two refactorings here:

Moved obtainEcrCredentials from docker.ts to docker-credentials-ts.
Moved DefaultAwsClient from bin/publish.ts to lib/aws.ts

related #10999
related #11774

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

Currently, `cdk-assets` does a single `docker login` with credentials fetched from ECR's `getAuthorizationToken` API. This enables access to (typically) the assets in the environment's ECR repo (`*--container-assets-*`). A pain point for users today is throttling when using images from other sources, especially from DockerHub when using unauthenticated calls. This change introduces a new configuration file at a well-known location (and overridable via the CDK_DOCKER_CREDS_FILE environment variable), which allows specifying per-domain login credentials via either the default ECR auth tokens or via a secret in SecretsManager. If the credentials file is present, a Docker credential helper (docker-credential-cdk-assets) will be set up for each of the configured domains, and used for the `docker build` commands to enable fetching images from both DockerHub or configured ECR repos. Then the "normal" credentials will be assumed for the final publishing step. For backwards compatibility, if no credentials file is present, the existing `docker login` will be done prior to the build step as usual. This PR will be shortly followed by a corresponding PR for the cdk pipelines library to enable users to specify registries and credentials to be fed into this credentials file during various stages of the pipeline (e.g., build/synth, self-update, and asset publishing). related #10999 related #11774

gitpod-io · 2021-06-24T10:52:55Z

rix0rrr

Provisional okeli-dokeli after you've considered my feedback.

packages/cdk-assets/bin/docker-credential-cdk-assets.ts

packages/cdk-assets/lib/private/docker-credentials.ts

packages/cdk-assets/lib/private/docker.ts

packages/cdk-assets/lib/private/handlers/container-images.ts

packages/cdk-assets/test/private/docker-credentials.test.ts

…docker-creds

mergify · 2021-06-25T11:45:46Z

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

aws-cdk-automation · 2021-06-25T12:23:50Z

AWS CodeBuild CI Report

CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
Commit ID: a6ad9e4
Result: SUCCEEDED
Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

mergify · 2021-06-25T12:24:52Z

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Currently, `cdk-assets` does a single `docker login` with credentials fetched from ECR's `getAuthorizationToken` API. This enables access to (typically) the assets in the environment's ECR repo (`*--container-assets-*`). A pain point for users today is throttling when using images from other sources, especially from DockerHub when using unauthenticated calls. This change introduces a new configuration file at a well-known location (and overridable via the CDK_DOCKER_CREDS_FILE environment variable), which allows specifying per-domain login credentials via either the default ECR auth tokens or via a secret in SecretsManager. If the credentials file is present, a Docker credential helper (docker-credential-cdk-assets) will be set up for each of the configured domains, and used for the `docker build` commands to enable fetching images from both DockerHub or configured ECR repos. Then the "normal" credentials will be assumed for the final publishing step. For backwards compatibility, if no credentials file is present, the existing `docker login` will be done prior to the build step as usual. This PR will be shortly followed by a corresponding PR for the cdk pipelines library to enable users to specify registries and credentials to be fed into this credentials file during various stages of the pipeline (e.g., build/synth, self-update, and asset publishing). Two refactorings here: - Moved obtainEcrCredentials from docker.ts to docker-credentials-ts. - Moved DefaultAwsClient from bin/publish.ts to lib/aws.ts related aws#10999 related aws#11774 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

njlynch requested review from rix0rrr and a team June 24, 2021 10:52

njlynch self-assigned this Jun 24, 2021

mergify bot added the contribution/core This is a PR that came from AWS. label Jun 24, 2021

update aws-cdk ISDK/MockSdk to match cdk-assets IAws

d8d265f

rix0rrr added the pr/do-not-merge This PR should not be merged at this time. label Jun 24, 2021

rix0rrr approved these changes Jun 24, 2021

View reviewed changes

PR feedback from Rico

c208242

njlynch requested a review from rix0rrr June 24, 2021 14:00

njlynch added 2 commits June 24, 2021 15:37

Merge remote-tracking branch 'origin/master' into njlynch/cdk-assets-…

084155e

…docker-creds

resetAuthPlugins simply resets to default

d45eeb2

njlynch removed the pr/do-not-merge This PR should not be merged at this time. label Jun 25, 2021

Merge branch 'master' into njlynch/cdk-assets-docker-creds

a6ad9e4

mergify bot merged commit e530195 into master Jun 25, 2021

mergify bot deleted the njlynch/cdk-assets-docker-creds branch June 25, 2021 12:24

chand1012 mentioned this pull request Jun 29, 2021

Switch from CDK Pipelines to GitHub Actions alwaysbegrowing/pre-processing#38

Closed

adriantaut mentioned this pull request Dec 23, 2021

feat(pipelines): Docker registry credentials #15364

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(cdk-assets): externally-configured Docker credentials #15290

feat(cdk-assets): externally-configured Docker credentials #15290

njlynch commented Jun 24, 2021

gitpod-io bot commented Jun 24, 2021

rix0rrr left a comment

mergify bot commented Jun 25, 2021

aws-cdk-automation commented Jun 25, 2021

mergify bot commented Jun 25, 2021

feat(cdk-assets): externally-configured Docker credentials #15290

feat(cdk-assets): externally-configured Docker credentials #15290

Conversation

njlynch commented Jun 24, 2021

gitpod-io bot commented Jun 24, 2021

rix0rrr left a comment

Choose a reason for hiding this comment

mergify bot commented Jun 25, 2021

aws-cdk-automation commented Jun 25, 2021

AWS CodeBuild CI Report

mergify bot commented Jun 25, 2021