0

I'm using Drone 0.4 for as my CI. While trying to migrate from a self hosted private registry to AWS's ECS/ECR, I've come across an authentication issue when referencing these images in my .drone.yml as a composed service.

for example

build:
    image: python:3.5
    commands: 
        - some stuff
compose:
    db:
        image: <account_id>.dkr.ecr.us-east-1.amazonaws.com/reponame:latest

when the drone build runs it's erroring out, like it should, saying Authentication required to pull from ecr. As I understand when you authenticate for AWS ECR you use something like aws-cli's ecr get-login which gives you a temporary password. I know that I could inject that into my drone secret file and use that value in auth_config but that would mean I'd have to update my secrets' file every twelve hours (or however long that token lasts). Is there a way for drone to perform the authentication process itself?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Nimnam1
  • 515
  • 4
  • 12
  • 1
    The username and password authentication that Drone implements is generic across providers (DockerHub, GCR, etc) meaning it is not aware of ECR special password expiration and refresh requirements. There is no solution at this time. The best option is to contribute a patch to Drone to add this capability. – Brad Rydzewski Jan 19 '17 at 11:21
  • @BradRydzewski when I went to the Drone github I didn't see a branch for 0.4, I only saw master and feature/mq is there another place I should be looking. Right now Drone is on version 0.5 I believe. – Nimnam1 Jan 19 '17 at 15:15

1 Answers1

0

You can run the authentication command in the same shell before executing your build/compose command:

How we do it in our setup with docker is, we have this shell script part in out Jenkins pipeline(this shell script will work with or without Jenkins, all you have to do is configure your aws credentials):

`aws ecr get-login --region us-east-1`
${MAVEN_HOME}/bin/mvn clean package docker:build -DskipTests
docker tag -f ${DOCKER_REGISTRY}/c-server ${DOCKER_REGISTRY}/c-server:${RELEASE_VERSION
docker push ${DOCKER_REGISTRY}/c-server:${RELEASE_VERSION}

So while running the maven command which creates the image or the subsequent commands to push it in ECR, it uses the authentication it gets from the first command.

Manish Joshi
  • 3,550
  • 2
  • 21
  • 29
  • Hmm... Not quite was I was asking for, but it looks like what I'm asking for isn't currently possible. You're answer might be helpful to other though. – Nimnam1 Jan 19 '17 at 20:06