AWS ECR login credential exchange

[chonton]

AWS ECR requires a cli login before any docker image push or pull. I currently have my jenkins job running the aws ecr get-login command. However, I prefer not install the amazon toolkit on all my build infrastructure and require all our developers to also install the amazon toolkit.

I would like to submit a PR that would invoke the GetAuthorizationToken api to exchange AWS IAM credentials for temporary ECR credentials. This PR would augment the AuthConfigFactory. Any login credentials specified for an ECR repository would be considered IAM credentials needing exchange.

An ECR repository has a URL of form https://awsAccountId.dkr.ecr.awsRegion.amazonaws.com/repositoryName

1. Should credentials explicitly specified with docker.* properties be exchanged?
2. Should credentials from ~/.config/kube be exchanged?
3. Should credentials provided in plugin configuration be exchanged?
4. Should credentials from .m2/settings be exchanged?
5. Should credentials from ~/.docker/config.json be exchanged?
6. Should there be a flag to prevent the exchange?

I'm thinking that credentials 1, 2, 3, 4 should be exchanged. ~/.docker/config.json likely contains already exchanged credentials. ~/.config/kube likely contains IAM credentials, as kubernetes "will fetch and periodically refresh ECR credentials" .

[rhuss]

Thats a good idea.

If I understand you right, d-m-p would do an exchange to obtain an AWS token when it detects that in pulls or pushes ECR is used.

This token is then used as password, right ?

Would it be harmful to always do the exchange ? And that point in the code the credentials has been already picked up from the various places so maybe we do not need distinguish all the cases above.

There should be a flag to opt-out for this feature if people want todo the authorization on their own.