Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross AWS account access #16

Open
Allan-Gong opened this issue Jun 14, 2019 · 5 comments
Open

Cross AWS account access #16

Allan-Gong opened this issue Jun 14, 2019 · 5 comments

Comments

@Allan-Gong
Copy link

Currently this plugin can only retrieve docker images from a specified ECR in the same AWS account. Is this by design ?

For an application, the problem is that the prod and dev version runs in different AWS accounts and were deployed using different buildkite agents in different queues.

This means the same docker image would need to be created/stored in multiple ECR in different AWS accounts.

Any suggestions for this issue ?
@72636c
Copy link
Member

72636c commented Jun 17, 2019

It would be great if we can add a simple config prop like account: 123456789012.

The problem is that the plugin pushes to the ECR repository when the cache is invalidated, which may happen in the dev account/queue. This is at odds with our internal ECR guidance, which is for the repository to live in the prod account and to disallow pushes from other accounts.

A workaround would be for the plugin to detect if it is running in a queue outside of the configured account and skip any write operations accordingly. This feels a bit hand-wavy though.

What do you think @zsims?

@zsims
Copy link
Contributor

zsims commented Jun 17, 2019

I don't really understand the issue, is it a problem to have the cache stored in multiple ECRs? Without the cache you'd normally re-run those steps anyway.

I don't think adding behaviour for conditional writes or queue sniffing is the right approach. But I'm keen to understand the problem a bit more. Why is it an issue the cache is stored in each account?

@72636c
Copy link
Member

72636c commented Jun 17, 2019

If I understand correctly, it's just an optimisation to avoid rebuilding the image in each account. Maybe it's not worth the effort as you say.

@zsims
Copy link
Contributor

zsims commented Jun 17, 2019

We could do it (the effort is no issue :)). It's a bit chicken and egg because you'd have to ensure a cached build is run within the ECR account first. But we could

  • add extra parameter as you say, e.g. account which defaults to "the current account"
  • set the ECR resource policy so it can be read (+ written ?) by account
  • not worry about the pipeline, and just lookup ECR in account

Thoughts? It's not a lot of effort but we'd have to change the slogan "Zero config plugin for caching Docker images in Amazon ECR" 😆

@72636c
Copy link
Member

72636c commented Jun 27, 2019

Oops, forgot to loop back. Yeah the chicken-and-egg bit is fiddly, though unlikely if you're running all steps in prod (save for non-prod deployment).

I'm not sure how we'd specify all the accounts permitted to read(/write?) to the central ECR repo though. Yet another config option 🙄?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Allan-Gong @zsims @72636c