Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log into registry in another account in different region under a self-hosted environment #174

Closed
keithalpichi opened this issue Jun 1, 2021 · 8 comments
Closed

Log into registry in another account in different region under a self-hosted environment #174

keithalpichi opened this issue Jun 1, 2021 · 8 comments

Comments

@keithalpichi
Copy link

I'm in a situation where I need to authenticate to an ECR registry in a different account and region than where the self-hosted runner is running in. This is part of an internal project of migrating AWS accounts but still needing to access resources within the account we're moving away from.

A self-hosted runner in Account A (in region us-west-2) contains a IAM instance profile that allows it to assume a role in Account B to push images to the ECR registry (in region us-east-1), amongst many other things.

I can successfully assume the role in Account B using aws-actions/configure-aws-credentials@v1, but since the region input is for the initial client, aws-actions/amazon-ecr-login implicitly inherits it when it authenticates to ECR. I need it to use a different region.

At first I thought I could modify the region in it's own step:

# there is a step prior that assumes the role
# ....
- name: Set AWS region to us-east-1
  run: aws configure set default.region us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

But it didn't work. This Github Action still authenticated to the ECR registry in the us-west-2 region.

Then I thought to run AWS ECR commands directly to specify the region:

# there is a step prior that assumes the role
# ....
- name: Login to Account B ECR
  run: |
    aws ecr get-login-password --region $ACCT_B_REGION | \
    docker login --username AWS --password-stdin $ACCT_B_ECR_REGISTRY
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

This works but it replaces this convenient Github Action. It would be nice, despite it being very uncommon, if I could just provide this Github Action the region I need to authenticate into. This approach also stores the credentials unencrypted- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.

Another approach I took is using aws-actions/configure-aws-credentials@v1 again to use the temporary assumed-role credentials (set to environment variables in a previous step) to set the region for subsequent steps.

# there is a step prior that assumes the role
# ....
- name: Configure temp AWS credentials for ECR login
  uses: aws-actions/configure-aws-credentials@v1
  with:
    aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
    aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
    aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
    aws-region: us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  env:
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
   run: |
     docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
     docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

This worked but adds another step to the job.

So, is there a simpler way to do this than what I've done above? Is there a simpler way to modify the region before running this Github Action? If not, could we add a region input to this Github Action. I can work on this if this is something desired.
@usjpaq
Copy link

usjpaq commented Jun 4, 2021

I have a similar issue where I need to pull images from two different regions in the same account

@kirillbilchenko
Copy link

Having same issue with login to the ecr repo from another account, but on the same region.

@nitrocode nitrocode mentioned this issue Aug 3, 2021
Closed
@dudicoco
Copy link

dudicoco commented Aug 9, 2021

running into the same issue, had to resort to writing the following script:

registries=()

for region in $REGIONS; do
  registry="${ACCOUNT_ID}.dkr.ecr.${region}.amazonaws.com"
  aws ecr get-login-password --region "$region"  | docker login --username AWS --password-stdin "$registry"
  registries+=("$registry")
done

echo ::set-output name=registries::"${registries[@]}"

@jeff51419
Copy link

the same for push image to different account ECR

@sbkg0002
Copy link

+1

@philomory
Copy link

At first I thought I could modify the region in it's own step:

# there is a step prior that assumes the role
# ....
- name: Set AWS region to us-east-1
  run: aws configure set default.region us-east-1
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
  run: |
    docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
    docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION

But it didn't work. This Github Action still authenticated to the ECR registry in the us-west-2 region.

If your prior steps involve using the aws-actions/configure-aws-credentials action, then part of the problem you're having is probably the fact that that action doesn't merely configure the default AWS profile, it also exports a bunch of environment variables into the job environment for all future steps, including AWS_REGION; so even if you edit the default profile's configured region to be us-east-1, that won't actually matter to the subsequent amazon-ecr-login action, because the default region of the active profile is being ignored in favor of the region specified by the AWS_REGION environment variable (which is still set to us-west-2) anyway.

If you're not using aws-actions/configure-aws-credentials, then you can ignore this comment.

@stefam
Copy link

stefam commented May 15, 2024
edited
Loading

You can use the following way:

      - name: Assume aws role
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
          aws-region: ${{ vars.AWS_REGION_RUNNER }}
          role-skip-session-tagging: true
          role-duration-seconds: 2400

      - name: Login to AWS Registry
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2
        with:
          mask-password: 'true'
        env:
          AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
          AWS_REGION: ${{ vars.AWS_REGION }}

where AWS_REGION_RUNNER is us-east-1 and AWS_REGION is us-east-2 for example.

@IjjS
Copy link

IjjS commented May 21, 2024

@stefam You mean us-east-2 for AWS_REGION_RUNNER and us-east-1 for AWS_REGION, right? This works for me. Thanks!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@philomory @sbkg0002 @kirillbilchenko @stefam @keithalpichi @jeff51419 @dudicoco @arjraman @usjpaq @IjjS