如果 docker 容器安装在我的 EC2 虚拟机上,我可以在 docker 容器中使用 amazon ecr 凭证助手吗?
[英]Can I use amazon ecr credential helper inside a docker container if its installed on my EC2 VM?
问题描述
I've installed the credential helper GitHub on our ec2 instance and got it working for my account.
我已经在我们的 ec2 实例上安装了凭证助手GitHub并让它为我的帐户工作。 What I want to do is to use it during my GitLab CI/CD pipeline, where my gitlab-runner is actually running inside a docker container, and spawns new containers for the build, test & deploy phases.我想要做的是在我的 GitLab CI/CD 管道中使用它,我的 gitlab-runner 实际上在 docker 容器内运行,并为构建、测试和部署阶段生成新容器。 This is what our test phase looks like now:这就是我们的测试阶段现在的样子:
image: docker:stable
run_tests:
stage: test
tags:
- test
before_script:
- echo "Starting tests for CI_COMMIT_SHA=$CI_COMMIT_SHA"
- docker run --rm mikesir87/aws-cli aws ecr get-login-password | docker login --username AWS --password-stdin $IMAGE_URL
script:
- docker run --rm $IMAGE_URL:$CI_COMMIT_SHA npm test
This works fine, but what I'd like to see if I could get working is the following:这工作正常,但我想看看我是否可以工作如下:
image: docker:stable
run_tests:
image: $IMAGE_URL:$CI_COMMIT_SHA
stage: test
tags:
- test
script:
- npm test
When I try the 2nd option it I get the no basic auth credentials .当我尝试第二个选项时,我no basic auth credentials获得no basic auth credentials 。 So I'm wondering if there is a way to get the credential helper to map to the docker container without having to have the credential helper installed on the image itself.所以我想知道是否有一种方法可以让凭证助手映射到 docker 容器,而不必在图像本身上安装凭证助手。
1 个解决方案
解决方案1
0 2021-11-03 21:00:48
Configure your runner to use the credential helper with DOCKER_AUTH_CONFIG environment variable.将您的运行程序配置为使用带有DOCKER_AUTH_CONFIG环境变量的凭证助手。 A convenient way to do this is to bake it all into your image.一种方便的方法是将其全部烘焙到您的图像中。
So, your gitlab-runner image should include the the docker-credential-ecr-login binary (or you should mount it in from the host).因此,您的 gitlab-runner 映像应该包含 docker- docker-credential-ecr-login二进制文件(或者您应该从主机安装它)。
FROM gitlab/gitlab-runner:v14.3.2
COPY bin/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
Then when you call gitlab-runner register pass in the DOCKER_AUTH_CONFIG environment variable using --env flag as follows:然后当你调用gitlab-runner register中通DOCKER_AUTH_CONFIG使用环境变量--env标志如下:
AUTH_ENV="DOCKER_AUTH_CONFIG={ \"credsStore\": \"ecr-login\" }"
gitlab-runner register \
--non-interactive \
...
--env "${AUTH_ENV}" \
--env "AWS_SDK_LOAD_CONFIG=true" \
...
You can also set this equivalently in the config.toml , instance CI/CD variables, or anywhere CI/CD variables are set (group, project, yaml, trigger, etc).您还可以在config.toml 、实例 CI/CD 变量或设置 CI/CD 变量的任何地方(组、项目、yaml、触发器等)中等效地设置它。
As long as your EC2 instance (or ECS task role if running the gitlab-runner as an ECS task) has permission to pull the image, your jobs will be able to pull down images from ECR declared in image: sections.只要您的 EC2 实例(或 ECS 任务角色,如果将 gitlab-runner 作为 ECS 任务运行)有权拉取映像,您的作业就能够从image:部分中声明的 ECR 拉取映像。
However this will NOT necessarily let you automatically pull images using docker-in-docker (eg invoking docker pull within the script: section of a job).但是,这不一定会让您使用 docker-in-docker 自动拉取图像(例如,在script:调用docker pull script:作业的部分)。 This can be configured (as it seems you already have working), but may require additional setup, depending on your runner and IAM configuration.这可以配置(因为您似乎已经在工作),但可能需要额外的设置,具体取决于您的运行器和 IAM 配置。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.