in container_images/registry-image-forked/types.go [327:385]
func (source *Source) AuthenticateToECR() bool {
logrus.Warnln("ECR integration is experimental and untested")
if source.AwsRoleArn != "" && len(source.AwsRoleArns) != 0 {
logrus.Errorf("`aws_role_arn` cannot be set at the same time as `aws_role_arns`")
return false
}
mySession := session.Must(session.NewSession(&aws.Config{
Region: aws.String(source.AwsRegion),
Credentials: credentials.NewStaticCredentials(source.AwsAccessKeyID, source.AwsSecretAccessKey, source.AwsSessionToken),
}))
// Note: This implementation gives precedence to `aws_role_arn` since it
// assumes that we've errored if both `aws_role_arn` and `aws_role_arns`
// are set
awsRoleArns := source.AwsRoleArns
if source.AwsRoleArn != "" {
awsRoleArns = []string{source.AwsRoleArn}
}
for _, roleArn := range awsRoleArns {
logrus.Debugf("assuming new role: %s", roleArn)
mySession = session.Must(session.NewSession(&aws.Config{
Region: aws.String(source.AwsRegion),
Credentials: stscreds.NewCredentials(mySession, roleArn),
}))
}
client := ecr.New(mySession)
result, err := source.GetECRAuthorizationToken(client)
if err != nil {
logrus.Errorf("failed to authenticate to ECR: %s", err)
return false
}
for _, data := range result.AuthorizationData {
output, err := base64.StdEncoding.DecodeString(*data.AuthorizationToken)
if err != nil {
logrus.Errorf("failed to decode credential (%s)", err.Error())
return false
}
split := strings.Split(string(output), ":")
if len(split) == 2 {
source.Password = strings.TrimSpace(split[1])
} else {
logrus.Errorf("failed to parse password.")
return false
}
}
// Update username and repository
source.Username = "AWS"
source.Repository = strings.Join([]string{strings.TrimPrefix(*result.AuthorizationData[0].ProxyEndpoint, "https://"), source.Repository}, "/")
return true
}