Support assume role before ECR login

buildkite-plugins · Oct 28, 2020 · 64e9ae4 · 64e9ae4
1 parent 0b50565
commit 64e9ae4
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -18,6 +18,17 @@ steps:
 
 If you want to log in to ECR on [another account](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html#IAM_allow_other_accounts):
 
+```yml
+steps:
+  - command: ./run_build.sh
+    plugins:
+      - ecr#v2.1.1:
+          login: true
+          account_ids: "0015615400570"
+          region: "ap-southeast-2"
+```
+
+If you need to assume a role to perform that login:
 
 ```yml
 steps:
@@ -27,6 +38,8 @@ steps:
           login: true
           account_ids: "0015615400570"
           region: "ap-southeast-2"
+          assume_role:
+            role_arn: "arn:aws:iam::0015615400570:role/demo"
 ```
 
 ## Options
@@ -51,6 +64,10 @@ Set a specific region for ECR, defaults to `AWS_DEFAULT_REGION` on the agent, or
 
 Retries login after a delay N times. Defaults to 0.
 
+### `assume-role` (optional)
+
+Assume an AWS IAM role before ECR login. Supports `role-arn` and `duration-seconds` (optional) per the [associated AWS CLI command.](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html)
+
 ## License
 
 MIT (see [LICENSE](LICENSE))
diff --git a/hooks/environment b/hooks/environment
@@ -156,7 +156,20 @@ function login() {
   fi
 }
 
+function assume_role_for_ecr_login() {
+  export "$(aws sts assume-role \
+    --role-arn "${BUILDKITE_PLUGIN_ECR_ASSUME_ROLE_ROLE_ARN}" \
+    --role-session-name "ecr-login-buildkite-plugin" \
+    --duration-seconds "${BUILDKITE_PLUGIN_ECR_ASSUME_ROLE_DURATION_SECONDS:-3600}" \
+    --output text \
+    --query "[['AWS_ACCESS_KEY_ID',Credentials.AccessKeyId],['AWS_SECRET_ACCESS_KEY',Credentials.SecretAccessKey],['AWS_SESSION_TOKEN',Credentials.SessionToken]][*].join(\`=\`,@)")"
+}
+
 # For logging into the current AWS account’s registry
 if [[ "${BUILDKITE_PLUGIN_ECR_LOGIN:-}" =~ ^(true|1)$ ]] ; then
+  if [[ -n "${BUILDKITE_PLUGIN_ECR_ASSUME_ROLE_ROLE_ARN:-}" ]]; then
+    assume_role_for_ecr_login
+  fi
+
   login
 fi
diff --git a/plugin.yml b/plugin.yml
@@ -18,5 +18,13 @@ configuration:
       type: boolean
     region:
       type: string
+    assume-role:
+      type: object
+      properties:
+        role-arn:
+          type: string
+        duration-seconds:
+          type: number
+          default: 3600
   required:
-    - login
+    - login