Support adding own aws credentials provider chain

Create issue
Issue #15 new
Former user created an issue

We have a need to use this plugin with temporary credentials because we have a main AWS account and then assume role into our individual team accounts. Currently there is no way to provide a sessionToken to the plugin because it assumes basic credentials. My suggestion would be to add an ability to override the credentials provider and then individuals can supply their credentials however they see fit. This I think will provide the most flexibility in the future.

I ripped out the relevant code from the plugin and modded it to use our own credential provider like so

ext {
    awsCredentials = new AWSCredentialsProviderChain(
            // Needed for dealing with "AssumeRole" profiles
            STSProfileCredentialsServiceLoader.instance.getAssumeRoleCredentialsProvider(new RoleInfo()
                    .withRoleArn("arn:aws:iam::123456789012:role/OrganizationAccountAccessRole-Developer")
                    .withRoleSessionName("myBuildSession")
                    .withLongLivedCredentialsProvider(new ProfileCredentialsProvider("main"))),
            // Need this on the Jenkins box to use its EC2 credentials
            new EC2ContainerCredentialsProviderWrapper()
    )

    //The below was pieced together from this plugin.  Difference is that I set the credential
    //provider on the below line.
    AmazonECRClientBuilder ecrClientBuilder = AmazonECRClientBuilder.standard().withCredentials(awsCredentials).withRegion('us-east-1')
    GetAuthorizationTokenResult tokens = ecrClientBuilder.build()
            .getAuthorizationToken(new GetAuthorizationTokenRequest().withRegistryIds('123456789012'))

    String[] ecrCreds = new String(tokens.authorizationData.first().authorizationToken.decodeBase64(),
            'US-ASCII').split(":")

    project.extensions.getByType(DockerExtension).with {
        if (!registryCredentials) {
            registryCredentials = new DockerRegistryCredentials()
        }
        registryCredentials.with {
            url = "123456789012.dkr.ecr.us-east-1.amazonaws.com/repo"
            username = ecrCreds[0]
            password = ecrCreds[1]
        }
    }
}

Comments (0)

  1. Log in to comment