-
Notifications
You must be signed in to change notification settings - Fork 938
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow a role to be assumed before checking Docker images in AWS ECR #9103
Conversation
The session token is only useful for session credentials that needed an MFA. Dependabot will never use session credentials. Devs who want to test locally may want to use them.
If `LOCAL_ECR_REGISTRY` is set, add the standard AWS environment variables as credentials.
Add ECR role to assume to ECR credentials, if set.
8a455d9
to
a38271d
Compare
Unfortunately, I don't think this is going to work, in production the VM that runs dependabot does not have access to credential data. We run a short-lived job specific proxy that intercepts requests and attaches any credentials that are configured for requests that match the configured registry. So while this might work in dry-runs, in production it would fail. Unfortunately said proxy is not publicly available today |
Thanks for the explanation, I was worried about that. I see that the Dependabot CLI can set up a local environment with the credential proxy, but I guess that it's aimed at internal team members? |
Yeah the proxy container can be pulled publicly and contains an executable version of the proxy, but the source code is not available today. We've talked about opening this up as well to allow contributions such as yours but it's not something we have concrete plans for right now, as there's a bit of red tape involved and so many competing priorities. I wish I had a more satisfying answer to be honest. |
No worries, thanks for confirming that. I'll drop this PR: the actual AWS SDK code change is pretty trivial, so no big deal to recreate later when/if the proxy gets opened up. |
This is to resolve #6152
Very much a work-in-progress. I've tested this code with:
(both of the existing use-cases)
And a new use case:
I still have a few challenges:
Any advice or guidance on these would be greatly appreciated!
I spotted a bug with
bin/dry-run
when credentials get set: they're not converted toDependabot::Credential
s. A follow-up to #8967?I also saw that
regctl
assumes it's already logged in, which isn't always true.