9.8.1
Preconditions
- use two aws profiles, the
default and one with an assumed role using default as source profile
- call
aws-ecr/ecr_login with both profiles
- attempt to push to the repository only accessible via the assumed role
What happened
Pushing to an ECR repository fails when it needs a specific AWS profile other than the default profile if the credential helper is used.
Expected behavior
The credential helper uses the correct AWS profile, obtains credentials and is able to push to ECR.
Assumed cause
The orb command build_image with push: true will add the --push flag to the docker buildx build command. If the target ECR repository is private, it needs to authenticate with AWS and uses the credential helper configured with aws-ecr/ecr_login, but uses the default AWS profile.
The orb command push_image likely suffers from the same bug.
Suggested solution
Add a parameter profile_name whose value is set to the environment variable AWS_PROFILE prior to any steps pushing to the repository. As default value for profile_name, I would suggest "default" to ensure backwards compatibility.
This could pose a foot gun with the docker buildx build command if the source docker image is not available from the profile set this way. I think that is acceptable since a user can set push: false for the build_image, build with the default profile and use the push_image command in a subsequent step with the newly introduced profile_name.
9.8.1
Preconditions
defaultand one with an assumed role using default as source profileaws-ecr/ecr_loginwith both profilesWhat happened
Pushing to an ECR repository fails when it needs a specific AWS profile other than the default profile if the credential helper is used.
Expected behavior
The credential helper uses the correct AWS profile, obtains credentials and is able to push to ECR.
Assumed cause
The orb command
build_imagewithpush: truewill add the--pushflag to thedocker buildx buildcommand. If the target ECR repository is private, it needs to authenticate with AWS and uses the credential helper configured withaws-ecr/ecr_login, but uses thedefaultAWS profile.The orb command
push_imagelikely suffers from the same bug.Suggested solution
Add a parameter
profile_namewhose value is set to the environment variableAWS_PROFILEprior to any steps pushing to the repository. As default value forprofile_name, I would suggest "default" to ensure backwards compatibility.This could pose a foot gun with the
docker buildx buildcommand if the source docker image is not available from the profile set this way. I think that is acceptable since a user can setpush: falsefor thebuild_image, build with the default profile and use thepush_imagecommand in a subsequent step with the newly introducedprofile_name.