-
Notifications
You must be signed in to change notification settings - Fork 174
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log into registry in another account in different region under a self-hosted environment #174
Comments
I have a similar issue where I need to pull images from two different regions in the same account |
Having same issue with login to the ecr repo from another account, but on the same region. |
running into the same issue, had to resort to writing the following script: registries=()
for region in $REGIONS; do
registry="${ACCOUNT_ID}.dkr.ecr.${region}.amazonaws.com"
aws ecr get-login-password --region "$region" | docker login --username AWS --password-stdin "$registry"
registries+=("$registry")
done
echo ::set-output name=registries::"${registries[@]}" |
the same for push image to different account ECR |
+1 |
If your prior steps involve using the If you're not using |
You can use the following way:
where AWS_REGION_RUNNER is us-east-1 and AWS_REGION is us-east-2 for example. |
@stefam You mean us-east-2 for AWS_REGION_RUNNER and us-east-1 for AWS_REGION, right? This works for me. Thanks!! |
I'm in a situation where I need to authenticate to an ECR registry in a different account and region than where the self-hosted runner is running in. This is part of an internal project of migrating AWS accounts but still needing to access resources within the account we're moving away from.
A self-hosted runner in Account A (in region us-west-2) contains a IAM instance profile that allows it to assume a role in Account B to push images to the ECR registry (in region us-east-1), amongst many other things.
I can successfully assume the role in Account B using
aws-actions/configure-aws-credentials@v1
, but since theregion
input is for the initial client,aws-actions/amazon-ecr-login
implicitly inherits it when it authenticates to ECR. I need it to use a different region.At first I thought I could modify the region in it's own step:
But it didn't work. This Github Action still authenticated to the ECR registry in the us-west-2 region.
Then I thought to run AWS ECR commands directly to specify the region:
This works but it replaces this convenient Github Action. It would be nice, despite it being very uncommon, if I could just provide this Github Action the region I need to authenticate into. This approach also stores the credentials unencrypted-
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Another approach I took is using
aws-actions/configure-aws-credentials@v1
again to use the temporary assumed-role credentials (set to environment variables in a previous step) to set the region for subsequent steps.This worked but adds another step to the job.
So, is there a simpler way to do this than what I've done above? Is there a simpler way to modify the region before running this Github Action? If not, could we add a
region
input to this Github Action. I can work on this if this is something desired.The text was updated successfully, but these errors were encountered: