Skip to content

Commit

Permalink
Merge pull request #114 from Flydiverny/fix-ec2-instance-credentials
Browse files Browse the repository at this point in the history
fix(ecr): use ec2 instance credentials when no credentials are provided
  • Loading branch information
crazy-max authored Dec 16, 2021
2 parents 1cce165 + f6476db commit b776a64
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 5 deletions.
78 changes: 77 additions & 1 deletion __tests__/docker.test.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import {loginStandard, logout} from '../src/docker';
import {loginECR, loginStandard, logout} from '../src/docker';
import * as aws from '../src/aws';

import * as path from 'path';

Expand Down Expand Up @@ -47,3 +48,78 @@ test('logout calls exec', async () => {
ignoreReturnCode: true
});
});

test('loginECR sets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if username and password is set', async () => {
const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
execSpy.mockImplementation(() => Promise.resolve([]));
jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);

const username: string = 'dbowie';
const password: string = 'groundcontrol';
const registry: string = 'https://ghcr.io';

await loginECR(registry, username, password);

expect(process.env.AWS_ACCESS_KEY_ID).toEqual(username);
expect(process.env.AWS_SECRET_ACCESS_KEY).toEqual(password);
});

test('loginECR keeps AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if set', async () => {
const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
execSpy.mockImplementation(() => Promise.resolve([]));
jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);

process.env.AWS_ACCESS_KEY_ID = 'banana';
process.env.AWS_SECRET_ACCESS_KEY = 'supersecret';

await loginECR('ecr.aws', '', '');

expect(process.env.AWS_ACCESS_KEY_ID).toEqual('banana');
expect(process.env.AWS_SECRET_ACCESS_KEY).toEqual('supersecret');
});

test('loginECR overrides AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if username and password set', async () => {
const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
execSpy.mockImplementation(() => Promise.resolve([]));
jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);

process.env.AWS_ACCESS_KEY_ID = 'banana';
process.env.AWS_SECRET_ACCESS_KEY = 'supersecret';
const username = 'myotheruser';
const password = 'providedpassword';

await loginECR('ecr.aws', username, password);

expect(process.env.AWS_ACCESS_KEY_ID).toEqual(username);
expect(process.env.AWS_SECRET_ACCESS_KEY).toEqual(password);
});

test('loginECR does not set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if not set', async () => {
const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
execSpy.mockImplementation(() => Promise.resolve([]));
jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);

delete process.env.AWS_ACCESS_KEY_ID;
delete process.env.AWS_SECRET_ACCESS_KEY;

await loginECR('ecr.aws', '', '');

expect('AWS_ACCESS_KEY_ID' in process.env).toEqual(false);
expect('AWS_SECRET_ACCESS_KEY' in process.env).toEqual(false);
});
8 changes: 6 additions & 2 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 6 additions & 2 deletions src/docker.ts
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,12 @@ export async function loginECR(registry: string, username: string, password: str
core.info(`AWS ECR detected with ${region} region`);
}

process.env.AWS_ACCESS_KEY_ID = username || process.env.AWS_ACCESS_KEY_ID;
process.env.AWS_SECRET_ACCESS_KEY = password || process.env.AWS_SECRET_ACCESS_KEY;
if (username) {
process.env.AWS_ACCESS_KEY_ID = username;
}
if (password) {
process.env.AWS_SECRET_ACCESS_KEY = password;
}

core.info(`Retrieving docker login command through AWS CLI ${cliVersion} (${cliPath})...`);
const loginCmds = await aws.getDockerLoginCmds(cliVersion, registry, region, accountIDs);
Expand Down

0 comments on commit b776a64

Please sign in to comment.