Skip to content

Commit d2aace8

Browse files
authored
Merge pull request #1561 from docker/e2e-aws-ecr-oidc
ci(e2e): use OIDC for AWS ECR
2 parents f72b3cf + ffca515 commit d2aace8

2 files changed

Lines changed: 38 additions & 27 deletions

File tree

.github/workflows/.e2e-run.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ on:
1010
type:
1111
required: true
1212
type: string
13+
provider:
14+
required: true
15+
type: string
1316
name:
1417
required: true
1518
type: string
@@ -108,9 +111,16 @@ jobs:
108111
driver-opts: |
109112
image=${{ matrix.buildkit_image }}
110113
network=host
114+
-
115+
name: Configure AWS credentials
116+
if: inputs.provider == 'aws'
117+
uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
118+
with:
119+
role-to-assume: arn:aws:iam::175142243308:role/official_gha_cicd
120+
aws-region: us-east-1
111121
-
112122
name: Login to Registry
113-
if: github.event_name != 'pull_request' && (inputs.type == 'remote' || env.REGISTRY_USER != '')
123+
if: github.event_name != 'pull_request' && (inputs.type == 'remote' || inputs.provider == 'aws' || env.REGISTRY_USER != '')
114124
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
115125
with:
116126
registry: ${{ env.REGISTRY_FQDN || inputs.registry }}

.github/workflows/e2e.yml

Lines changed: 27 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ jobs:
2222
uses: ./.github/workflows/.e2e-run.yml
2323
permissions:
2424
contents: read
25+
id-token: write # to get AWS credentials
2526
packages: write # to push image to GHCR
2627
strategy:
2728
fail-fast: false
@@ -30,100 +31,100 @@ jobs:
3031
-
3132
name: Distribution
3233
id: distribution
33-
auth: none
34+
provider: none
3435
type: local
3536
-
3637
name: Docker Hub
3738
registry: ''
3839
slug: dockereng/build-push-action-test
39-
auth: dockerhub
40+
provider: dockerhub
4041
type: remote
4142
-
4243
name: GitHub
4344
registry: ghcr.io
4445
slug: ghcr.io/docker/build-push-action-test
45-
auth: ghcr
46+
provider: ghcr
4647
type: remote
4748
-
4849
name: GitLab
4950
registry: registry.gitlab.com
5051
slug: registry.gitlab.com/test1716/test
51-
auth: gitlab
52+
provider: gitlab
5253
type: remote
5354
-
5455
name: AWS ECR
5556
registry: 175142243308.dkr.ecr.us-east-2.amazonaws.com
5657
slug: 175142243308.dkr.ecr.us-east-2.amazonaws.com/sandbox/test-docker-action
57-
auth: aws
58+
provider: aws
5859
type: remote
5960
-
6061
name: AWS ECR Public
6162
registry: public.ecr.aws
6263
slug: public.ecr.aws/q3b5f1u4/test-docker-action
63-
auth: aws
64+
provider: aws
6465
type: remote
6566
-
6667
name: Google Artifact Registry
6768
registry: us-east4-docker.pkg.dev
6869
slug: us-east4-docker.pkg.dev/sandbox-298914/docker-official-github-actions/test-docker-action
69-
auth: gar
70+
provider: gar
7071
type: remote
7172
-
7273
name: Azure Container Registry
7374
registry: officialgithubactions.azurecr.io
7475
slug: officialgithubactions.azurecr.io/test-docker-action
75-
auth: acr
76+
provider: acr
7677
type: remote
7778
-
7879
name: Quay
7980
registry: quay.io
8081
slug: quay.io/docker_build_team/ghactiontest
81-
auth: quay
82+
provider: quay
8283
type: remote
8384
-
8485
name: Artifactory
8586
registry: infradock.jfrog.io
8687
slug: infradock.jfrog.io/test-ghaction/build-push-action
87-
auth: artifactory
88+
provider: artifactory
8889
type: remote
8990
-
9091
name: Harbor
9192
id: harbor
92-
auth: none
93+
provider: none
9394
type: local
9495
-
9596
name: Nexus
9697
id: nexus
97-
auth: none
98+
provider: none
9899
type: local
99100
with:
100101
id: ${{ matrix.id }}
101102
type: ${{ matrix.type }}
103+
provider: ${{ matrix.provider }}
102104
name: ${{ matrix.name }}
103105
registry: ${{ matrix.registry }}
104106
slug: ${{ matrix.slug }}
105107
secrets:
106108
# Pass only the registry-specific secrets needed by each matrix entry.
107109
# GHCR uses the called workflow's GITHUB_TOKEN fallback.
110+
# AWS ECR uses OIDC to get credentials.
108111
registry_username: >-
109112
${{
110-
matrix.auth == 'dockerhub' && vars.DOCKERPUBLICBOT_USERNAME ||
111-
matrix.auth == 'gitlab' && secrets.GITLAB_USERNAME ||
112-
matrix.auth == 'aws' && secrets.AWS_ACCESS_KEY_ID ||
113-
matrix.auth == 'gar' && secrets.GAR_USERNAME ||
114-
matrix.auth == 'acr' && secrets.AZURE_CLIENT_ID ||
115-
matrix.auth == 'quay' && secrets.QUAY_USERNAME ||
116-
matrix.auth == 'artifactory' && secrets.ARTIFACTORY_USERNAME ||
113+
matrix.provider == 'dockerhub' && vars.DOCKERPUBLICBOT_USERNAME ||
114+
matrix.provider == 'gitlab' && secrets.GITLAB_USERNAME ||
115+
matrix.provider == 'gar' && secrets.GAR_USERNAME ||
116+
matrix.provider == 'acr' && secrets.AZURE_CLIENT_ID ||
117+
matrix.provider == 'quay' && secrets.QUAY_USERNAME ||
118+
matrix.provider == 'artifactory' && secrets.ARTIFACTORY_USERNAME ||
117119
''
118120
}}
119121
registry_password: >-
120122
${{
121-
matrix.auth == 'dockerhub' && secrets.DOCKERPUBLICBOT_WRITE_PAT ||
122-
matrix.auth == 'gitlab' && secrets.GITLAB_TOKEN ||
123-
matrix.auth == 'aws' && secrets.AWS_SECRET_ACCESS_KEY ||
124-
matrix.auth == 'gar' && secrets.GAR_JSON_KEY ||
125-
matrix.auth == 'acr' && secrets.AZURE_CLIENT_SECRET ||
126-
matrix.auth == 'quay' && secrets.QUAY_TOKEN ||
127-
matrix.auth == 'artifactory' && secrets.ARTIFACTORY_TOKEN ||
123+
matrix.provider == 'dockerhub' && secrets.DOCKERPUBLICBOT_WRITE_PAT ||
124+
matrix.provider == 'gitlab' && secrets.GITLAB_TOKEN ||
125+
matrix.provider == 'gar' && secrets.GAR_JSON_KEY ||
126+
matrix.provider == 'acr' && secrets.AZURE_CLIENT_SECRET ||
127+
matrix.provider == 'quay' && secrets.QUAY_TOKEN ||
128+
matrix.provider == 'artifactory' && secrets.ARTIFACTORY_TOKEN ||
128129
''
129130
}}

0 commit comments

Comments
 (0)