Feature request: Use IAM role to push image to ECR about docker-build-push HOT 5 CLOSED

I could be mistaken, so @mr-smithers-excellent will have to correct me if my observations are incorrect, but the way the action is written does not have any specific requirement on the AWS authentication method used. It is simply making the AWS CLI call to ecr get-login-password using the environment variables provided. I have not tested, but I believe you could simply add the following early enough in your workflow:

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
        aws-region: ${{ secrets.AWS_REGION }}

The aws-actions/configure-aws-credentials action would set the appropriate STS session environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY & AWS_SESSION_TOKEN). I use this method with other actions but haven't yet tried it with this one.

Alternatively you might be able to just set the AWS_ROLE_ARN and AWS_ROLE_SESSION_NAME env variables though I haven't tried that either myself but they are documented environment variables for the CLI.

https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html

from docker-build-push.

@jbouse - I believe this should be the case, but have not tested it personally. If it does not work, I'd certainly consider it to be a bug with this workflow and could mitigate.

@Udomomo - can you try the approach detailed above and see if you're able to push to your ECR with the IAM role setup in the previous step?

from docker-build-push.

After a bit more research, it looks like you will additionally need a web identity token file to authenticate. So the resulting prerequisite action would look something like this:

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
        aws-region: ${{ secrets.AWS_REGION }}
        web-identity-token-file: ${{ secrets.AWS_TOKEN_FILE }}

@Udomomo - is this the approach you are targeting?

from docker-build-push.

After a bit more research, it looks like you will additionally need a web identity token file to authenticate. So the resulting prerequisite action would look something like this:

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
        aws-region: ${{ secrets.AWS_REGION }}
        web-identity-token-file: ${{ secrets.AWS_TOKEN_FILE }}

I use Github OIDC to authenticate with AWS and do not include the web-identity-token-file option. The example I gave above was from my own configuration minus the optional session length. The web-identity-token-file would most likely need to be used if not attempting to use Github OIDC.

I use the following:

    - name: Configure AWS credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/${{ env.AWS_ROLE_NAME }}
        role-duration-seconds: 1200
        aws-region: ${{ env.AWS_REGION }}

I use the env. prefix rather than secrets. because I have an earlier stage that is getting details out of my Hashicorp Vault and those values get stored as environment variables (still masked for security in logs).

from docker-build-push.

@Udomomo - this should be an available auth mechanism using this action as detailed above. Be sure you are referencing the latest version using the below syntax. Feel free to re-open this issue if you have further problems.

- uses: mr-smithers-excellent/docker-build-push@v5
or
- uses: mr-smithers-excellent/[email protected]

from docker-build-push.