Support adding own aws credentials provider chain
Issue #15
new
We have a need to use this plugin with temporary credentials because we have a main AWS account and then assume role into our individual team accounts. Currently there is no way to provide a sessionToken to the plugin because it assumes basic credentials. My suggestion would be to add an ability to override the credentials provider and then individuals can supply their credentials however they see fit. This I think will provide the most flexibility in the future.
I ripped out the relevant code from the plugin and modded it to use our own credential provider like so
ext {
awsCredentials = new AWSCredentialsProviderChain(
// Needed for dealing with "AssumeRole" profiles
STSProfileCredentialsServiceLoader.instance.getAssumeRoleCredentialsProvider(new RoleInfo()
.withRoleArn("arn:aws:iam::123456789012:role/OrganizationAccountAccessRole-Developer")
.withRoleSessionName("myBuildSession")
.withLongLivedCredentialsProvider(new ProfileCredentialsProvider("main"))),
// Need this on the Jenkins box to use its EC2 credentials
new EC2ContainerCredentialsProviderWrapper()
)
//The below was pieced together from this plugin. Difference is that I set the credential
//provider on the below line.
AmazonECRClientBuilder ecrClientBuilder = AmazonECRClientBuilder.standard().withCredentials(awsCredentials).withRegion('us-east-1')
GetAuthorizationTokenResult tokens = ecrClientBuilder.build()
.getAuthorizationToken(new GetAuthorizationTokenRequest().withRegistryIds('123456789012'))
String[] ecrCreds = new String(tokens.authorizationData.first().authorizationToken.decodeBase64(),
'US-ASCII').split(":")
project.extensions.getByType(DockerExtension).with {
if (!registryCredentials) {
registryCredentials = new DockerRegistryCredentials()
}
registryCredentials.with {
url = "123456789012.dkr.ecr.us-east-1.amazonaws.com/repo"
username = ecrCreds[0]
password = ecrCreds[1]
}
}
}
Comments (0)
