Is there a way to do pre: or similar at the docker: stage? for ECR?

ecr
docker

#1

I’d like to run the ECR login command and extract the username/password. Then I could use the normal private docker image settings on the docker: section. Is there a way to do something like that?

I.d like to do this:

docker:
  - image: acme-private/private-image:321
    auth:
      username: aws-ecr-user  # extracted from ECR login command 
      password: aws-ecr-password  # also extracted from ECR login command

#2

I have a similar issue:

Don’t know a solution yet


#3

See my answer to the other thread:


#4

Support for ECR in CircleCI 2.0 is on the roadmap.

@fvanderwerf Do you have a working example of that with a config.yml?


#5

I would like to do this too. It seems a very basic functionality. Can someone post a working config.yml for this please? Presumably it includes a shell script to make the ecr-credential-helper work but guidance much appreciated.


#6

Hello, I got this working with the following config.yml. It’s perhaps a bit messy so let me know if there’s a better way, but it works because the appropriate password is returned as the sixth argument returned by the aws-credential-helper (i.e. the “f” character), and the username as the fourth (i.e. the “d” character):

version: 2
jobs:
  build:
    docker:
      - image: $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$AWS_ECS_REPOSITORY_NAME:latest
        auth:
          username: $(read a b c d e f g <<<$(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) ; echo "$d";)
          password: $(read a b c d e f g <<<$(aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION) ; echo "$f";)

#7

@aidanrussell This is a genius workaround! Thanks a lot for this :thumbsup:


#8

@aidanrussell The fact that you got that workaround to work is… incredible. Props.

We’ve launched official support for authenticating to ECR now: https://circleci.com/blog/aws-ecr-auth-support/


#9

@FelicianoTech Hooray! Much cleaner :relaxed:


#10

can we still use dynamic values as in AIDANRUSSELL’s solution? I have two ECR repos. A development and a production. So my key/secret will be different depending on which branch I am pushing. How can we make the key/secret dynamic?


#11

Take a look at the docs. I think the best way to do what you want, keeping things “official”, is to use a different job for each environment. Then, you can use a different set of environment variables for your AWS creds.


#12

That seems extremely inefficient and redundant. So we’d have to completely duplicate the job just to use different keys?


#13

With YAML anchors, yes. Or do what you asked if you could keep doing. Just giving you another option.


#14