How do you authenticate with and pull from an ECR registry?


#1

We’re trying to determine if it’s possible to use either the drone-ecr or drone-docker plugin to pull from an ECR registry to use that image for non-publishing purposes.

The documentation as well as other questions on this site seem to refer exclusively to building and publis use cases.

Is it possible to pull from an ECR registry with drone?

If so, how is this achieved and how does one avoid ECR’s 12h authentication expiry time? Are there any examples of configuring and pulling from ECR with Drone?


#2

The drone enterprise edition supports global registry credentials [1] which also supports ecr images [2] and automatic token refresh.

[1] http://docs.drone.io/setup-global-registry-credentials/
[2] http://docs.drone.io/setup-global-registry-credentials/#elastic-container-registry-ecr

Alternatively, you could download newer images on the host machine at the start of your pipeline so that they exist in the local docker cache. It could look something like this (below) and could even be encapsulated into a plugin.

pipeline:
  download:
    image: some-custom-image-with-docker-and-aws-cli
    commands:
      - aws ecr get-login | docker login -u AWS
      - docker pull 012345678910.dkr.ecr.us-east-1.amazonaws.com/golang
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock 
  build:
    image: 012345678910.dkr.ecr.us-east-1.amazonaws.com/golang
    commands:
      - go build
      - go test

The negative to the above approach is that you have to run your builds in trusted mode in order to expose the host machine docker socket, which has security implications.


Cannot configure both commands and custom attributes [access_id secret_key region]
#3

inspired by @bradrydzewski answer,

i wrote a little plugin that enables you to access your aws -ecr and you can pull or run or what ever you need from you image in ecr.

Here’s the github - https://github.com/amaziagur/drone-ecr-puller
in case it will be handy for anyone.


#4

I did something similar, you’re welcome to use mine too if you find it helpful -


#5

@amaziagur @omerxx thanks guys, appreciate the links and work!


#6

Another solution I just implemented is to use the drone-go libraries to create a aws lambda which updates the credentials for our ecr registry every 6 hours (tokens last 12 hours)


#7

Since I’m running drone on EC2, I’ve found it convenient to add a cron job to my hosts to periodically docker login using the instance profile already available to the host machine. I added to my cloud-init script:

crontab <(echo ‘44 */5 * * * $(aws ecr get-login --no-include-email --region us-east-1)’)

And then added a pull step to my pipeline using the docker-in-docker image:

pipeline:
  pull-images:
    image: docker
    commands:
      - docker pull myimage | cat
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/ec2-user/.docker:/root/.docker

#8

There is a not-yet-documented feature in 1.0.0-rc.1 that you can use to instruct your agents (or your server if you are running agentless, single-server) to load the .docker/config.json file from the host machine.

First you need to mount the config file into your agent container:

--volume=/home/ubuntu/.docker/config.json:/root/.docker/config.json

And then tell the agent where to find the file inside the container:

DRONE_DOCKER_CONFIG=/root/.docker/config.json

This could be used in conjunction with the cronjob described above, since it removes a few steps from the sample pipeline you posted.


Drone 1.0 and AWS ECR going forward
#9

Is this up-to-date? I’m struggling to find documentation anywhere else for how to run pipeline steps with images from a private docker registry in 1.0.0-rc.1. Are there plans to move to a simpler configuration for this like what was available in 8.0?


#10

ECR is a little tricky because auth tokens are not long-lived, so you can’t simply store credentials.

FWIW, I built a DRONE_REGISTRY configuration plugin with my agents to allow them to get credentials from my private ECR repository.

Works for us, and no special configuration/plugins needed in the yaml files.