Skip to content
This repository has been archived by the owner on Nov 29, 2024. It is now read-only.

Commit

Permalink
feat: enable ECR auth with role and create test (#14)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fernandoataoldotcom
fernandoataoldotcom authored Oct 19, 2023
1 parent f086c9f commit 29e072a
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 14 deletions.
42 changes: 37 additions & 5 deletions .github/workflows/test-action-on-pr-and-schedule.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,17 +6,30 @@ on:
schedule:
- cron: '45 12 * * 4'

permissions:
id-token: write
packages: write

jobs:
test_action:
runs-on: ubuntu-22.04

steps:
- name: set variables
run: |
echo "TEST_IMAGE_NAME=glueops/github-actions-build-push-containers/test-github-actions-build-push-containers" >> $GITHUB_ENV
echo "DOCKERHUB_TEST_IMAGE_NAME=glueopsrocksv2/github-actions-build-push-containers_test-github-actions-build-push-containers" >> $GITHUB_ENV
# set image name, GITHUB_ENV is not available until after step completes
TEST_IMAGE_NAME=glueops/github-actions-build-push-containers/test-github-actions-build-push-containers
echo "TEST_IMAGE_NAME=$TEST_IMAGE_NAME" >> $GITHUB_ENV
# Configure AWS Variables
echo "ECR_REGISTRY=616531474007.dkr.ecr.us-west-2.amazonaws.com" >> $GITHUB_ENV
echo "AWS_REGION=us-west-2" >> $GITHUB_ENV
# Use a different ecr repository to test iam path
echo "ECR_IAM_ROLE_TEST_IMAGE_NAME=${TEST_IMAGE_NAME}-iam-role" >> $GITHUB_ENV
# Docker Hub has a unique naming convention
echo "DOCKERHUB_TEST_IMAGE_NAME=glueopsrocksv2/github-actions-build-push-containers_test-github-actions-build-push-containers" >> $GITHUB_ENV
- name: Checkout code
uses: actions/checkout@v3
Expand All @@ -33,12 +46,13 @@ jobs:
- name: test ghcr.io
run: |
echo "::group::pull from ghcr.io"
echo "pulling ghcr.io/$TEST_IMAGE_NAME:${{ github.sha }}"
docker pull ghcr.io/$TEST_IMAGE_NAME:${{ github.sha }}
echo "::endgroup::"
docker run -e REGISTRY=ghcr.io ghcr.io/$TEST_IMAGE_NAME:${{ github.sha }}
- name: run ecr
- name: run ecr with access keys
uses: ./
with:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -49,15 +63,33 @@ jobs:
context: "./test-directory/tests/"
target_directory: test-directory

- name: test ecr
- name: test ecr with access keys
run: |
echo "::group::log in to ecr and pull"
echo $(aws ecr get-login-password --region $AWS_REGION) \
| docker login --username AWS --password-stdin $ECR_REGISTRY
docker pull $ECR_REGISTRY/$TEST_IMAGE_NAME:${{ github.sha }}
echo "::endgroup::"
docker run -e REGISTRY=dkr.ecr $ECR_REGISTRY/$TEST_IMAGE_NAME:${{ github.sha }}
docker run -e "REGISTRY=dkr.ecr with Access Keys" $ECR_REGISTRY/$TEST_IMAGE_NAME:${{ github.sha }}
- name: run ecr with iam role
uses: ./
with:
aws_role_to_assume: ${{ secrets.AWS_ROLE_ARN }}
aws_default_region: ${{ env.AWS_REGION }}
image_name: ${{ env.ECR_IAM_ROLE_TEST_IMAGE_NAME }}
registry: ${{ env.ECR_REGISTRY }}
context: "./test-directory/tests/"
target_directory: test-directory

- name: test ecr with iam role
run: |
echo "::group::log in to ecr and pull"
echo $(aws ecr get-login-password --region $AWS_REGION) \
| docker login --username AWS --password-stdin $ECR_REGISTRY
docker pull $ECR_REGISTRY/$ECR_IAM_ROLE_TEST_IMAGE_NAME:${{ github.sha }}
echo "::endgroup::"
docker run -e "REGISTRY=dkr.ecr with IAM Role" $ECR_REGISTRY/$ECR_IAM_ROLE_TEST_IMAGE_NAME:${{ github.sha }}
- name: run docker hub
uses: ./
Expand Down
39 changes: 33 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Build and Push Container to ghcr.io
uses: GlueOps/github-actions-build-push-containers@v0.2.0
uses: GlueOps/github-actions-build-push-containers@v0.3.0
```
#### **Docker Hub (docker.io)**
Expand All @@ -56,17 +56,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Build and Push Container to docker.io
uses: GlueOps/github-actions-build-push-containers@v0.2.0
uses: GlueOps/github-actions-build-push-containers@v0.3.0
with:
registry: "docker.io"
dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_password: ${{ secrets.DOCKERHUB_PASSWORD }}
```
#### **AWS Elastic Container Registry (.dkr.ecr.)**
#### **AWS Elastic Container Registry (.dkr.ecr.) - with Access Keys**
```yaml
name: Build and Push Container to ECR
name: Build and Push Container to ECR using Access Keys

on:
pull_request:
Expand All @@ -77,9 +77,36 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Build and Push Container to ECR
uses: GlueOps/github-actions-build-push-containers@v0.2.0
uses: GlueOps/github-actions-build-push-containers@v0.3.0
with:
registry: "<aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com"
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
```
aws_default_region: ${{ env.AWS_REGION}}
```
#### **AWS Elastic Container Registry (.dkr.ecr.) - IAM Role**
Note that additioanl workflow permissions are required to enable use of GitHub OIDC. Additional Documentation for configuration is available in the [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials#oidc) repository.
```yaml
name: Build and Push Container to ECR using an IAM Role

on:
pull_request:
types: [opened, synchronize, reopened]

permissions:
id-token: write

jobs:
build_and_push:
runs-on: ubuntu-latest
steps:
- name: Build and Push Container to ECR
uses: GlueOps/github-actions-build-push-containers@v0.3.0
with:
registry: "<aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com"
aws_role_to_assume: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_default_region: ${{ env.AWS_REGION}}
```
25 changes: 22 additions & 3 deletions action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,15 @@ inputs:

# ecr
aws_access_key_id:
description: 'AWS Access Key ID'
description: 'AWS Access Key ID - to be used in conjunction with `aws_secret_access_key`'
required: false

aws_secret_access_key:
description: 'AWS Secret Access Key'
description: 'AWS Secret Access Key - to be used in conjunction with `aws_access_key_id`'
required: false

aws_role_to_assume:
description: 'AWS IAM Role to assume, when using the GitHub OIDC provider in conjunction with a configured AWS IAM Identity Provider endpoint and instead of access key / secret key pair'
required: false

aws_default_region:
Expand Down Expand Up @@ -77,7 +81,7 @@ runs:
run: |
echo "::group::Installing AWS CLI..."
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
unzip -o awscliv2.zip
sudo ./aws/install --update
aws --version
echo "::endgroup::"
Expand All @@ -95,6 +99,21 @@ runs:
fi
echo "::endgroup::"
- name: AWS Authentication - IAM Keys
if: contains(inputs.registry, '.dkr.ecr.') && inputs.aws_access_key_id != '' && inputs.aws_secret_access_key != ''
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ inputs.aws_access_key_id }}
aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
aws-region: ${{ inputs.aws_default_region }}

- name: AWS Authentication - AWS IAM Role via OIDC
if: contains(inputs.registry, '.dkr.ecr.') && inputs.aws_role_to_assume != ''
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ inputs.aws_role_to_assume }}
aws-region: ${{ inputs.aws_default_region }}

# https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry
- name: Registry Authentication
shell: bash
Expand Down

0 comments on commit 29e072a

Please sign in to comment.