Amazon ECR auth help pulls in first stage but fails to use the pulled image in the second/

So I am trying to pull images from the amazon docker registry, I can get the pull to work in the first step, it correctly auths and pulls, however the second step fails it seems it still connects and try’s to pull the image and fails because in the second step it never runs the aws auth step.

Anyone have this working or able to share a working setup ?

kind: pipeline
name: default

  - name: download-containers
    image: omerxx/drone-ecr-auth
      - $(aws ecr get-login --no-include-email --region eu-west-2)
      - docker pull instanceid.dkr.ecr.eu-west-2.amazonaws.com/django-app:latest
      - name: dockersock
        path: /var/run/docker.sock

  - name: setup
    image: instanceid.dkr.ecr.eu-west-2.amazonaws.com/django-app:latest
    pull: false

Each pipeline step is an isolated container. The only way to share resources (e.g. generated credentials) between steps are with docker volumes. You should therefore figure out how to share the aws credentials between steps using a volume (see the docs for this). Or you should use a registry credential plugin to pull private images from ecr, which is the recommended approach (search forum for third party plugins that enable this).

I am using the plugin below which I found from searching the forum for how to pull from ecr, or are credential plugins different to normal plugin images ?

I did think about sharing the .docker file as a volume between the host then running auth then perhaps drone can use it when it pulls, i prefer the idea of not using the host if possible how ever.

I am using the plugin below which I found from searching the forum for how to pull from ecr, or are credential plugins different to normal plugin images

sorry, I should have been more clear. I am talking about Registry Credentials Plugins which is different from a pipeline plugin. For example https://github.com/drone/drone-registry-plugin

I prefer the idea of not using the host if possible how ever.

mounting a host volume is not required. Drone supports temporary volumes, which do not require trusted mode enabled. https://docs.drone.io/user-guide/pipeline/volumes/

Cheers I see its quite a new project, but awesome will give it a try and see if that helps out.

I figured it would have to be a host volume, because the image is pulled and then the volume mounted, i assume a temporary volume would not be mounted to drone itself, and drone itself would pull the image then launch it.

anyway hopefully the plugin works.

the project / code is actually quite mature. It was part of the closed source 0.8 Enterprise Edition and was recently published to github and made public.

Good to know, trying this out I am getting stuck with the error below.

default: Error response from daemon: Get http: server gave HTTP response to HTTPS client

I am pulling the image in this fashion, seems its defaulting to https for the pull but the proxy is using http and it does not like you prepending http to the image am I missing something here ?

Or can i not use it locally in this way and need to proxy it through another server which adds the ssl, also seems I should be able to use the container name in place of the ip but this did not seem to work, should it ?


This works using the above IP how ever.

drone plugins registry list

I believe this is controlled by Docker, not by Drone. If you want to pull a registry from a non-https endpoint you need to configure the host machine daemon appropriately. https://docs.docker.com/registry/insecure/

Never managed to get the registry plugin to work because of the http error, ecr is https by default but I guess because I am not also hosting the plugin on https this is not working.

how ever I eventually found this snippet below in the forums, I would also like to know if the there is a repo for the docs as it would be nice to have these documented and I wanted to put in a PR.

the docs only mention always from what I could find here, https://docs.drone.io/user-guide/pipeline/steps/#pull

pull: always
pull: if-not-exists
pull: never

Anyway pulling in the first stage then using never in all subsequent steps seems to solve the issue for me, would be nice to get the registry auth plugin working but for now at least this will do.