0

I have been trying to set this up of the better part of the day, and am wondering that there surely is an easier way to do this and i must be doing it wrong?

image: amazon/aws-cli:latest

stages:


    

  • terraform_plan
    • 

  • terraform_apply
    • 



variables:
  ECR_BASE_URL: <accountID>.dkr.ecr.eu-central-1.amazonaws.com
  ECR_BUIDIMAGE_PROD: $ECR_BASE_URL/something/ops/buildimage-prod:latest


before_script:


    

  • export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
    • 

  • export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
    • 

  • aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_BASE_URL
    • 

  • docker pull $ECR_BUILDIMAGE_PROD
    • 



terraform_plan:
  stage: terraform_plan


https://docs.aws.amazon.com/AmazonECR/latest/userguide/docker-pull-ecr-image.html


image: $ECR_BUIDIMAGE_PROD
  script:
    - echo "Initialise Terraform..."

Obviously the pipeline snippet above will not work (images are pulled before any script is executed), since that would be too easy, right? But this is roughly how i would like it to work, lol. I got image pulling to work locally (in the shell of the host directly) by roughly doing the following:

- apt install amazon-ecr-credential-helper
- added a /root/.aws/credentials file
- added { "credsStore": "ecr-login" } to /root/.docker/config.json 
- added environment = ["DOCKER_AUTH_CONFIG={ \"credsStore\": \"ecr-login\" }"] to the /etc/gitlab-runner/config.toml

and now i can use docker pull <ecr image path> to fetch a image from aws ecr finally. However there are a few things wrong with this:

  1. I like to run my pipelines in a docker-in-docker setup in order to keep the host clean and disposable and minimise risk of exposing sensitive data to the host and potentially even to other pipelines.
  2. The above way allows any pipeline to pull any image from ecr, i like it so that the pipeline provides the credentials (AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY) that are scoped for the particular pipeline.

There must be 1000's of people running a similar setup as to what i like to do, so i'm sure there is something i must be overlooking?

ps: Gitlab: 17.2 Host: self hosted on Debian 12 via apt

Kamaradski
  • 101

0 Answers0