Set environment variables for credHelper

[EugenDueck]

I want to use the "ecr-login" credHelper for both from and to, but I need to use different environment variables (AWS_PROFILE in my case), because the IAM is different in each case. If it is possible somehow, I would like to know, and if not, I would like to request this feature (just like e.g. environment can be set for dockerClient).

As a workaround, I will now try to run the credHelper manually and pass in username/password values via system properties (-Djib.to.auth.username=...)

[chanseokoh]

This is an interesting use case.

As another coarse workaround, you can write two wrapper scripts ecr-login-foo and ecr-login-bar (probably OK to have a .sh suffix) that just sets AWS_PROFILE and delegates to ecr-login. For example,

#!/bin/sh

AWS_PROFILE=profile-foo
exec docker-credential-ecr-login $*  # "exec" is not really required; I just do it to replace the sh process.

Then having jib.{from|to}.credHelper='ecr-login-foo' will probably work. Still ugly. Just an idea.

[EugenDueck]

@chanseokoh Thanks for the idea - I ended up being able to push the base image into the same ecr registry as the output image. So problem solved for me, but by working around it. But I think this is a valid, if not that common, use case, so I would like to leave this as a feature request.

[vinod-tahelyani]

@chanseokoh I would like to help in this. I have researched a bit and found that, we can get credentials specific to AWS_PROFILE by setting AWS_PROFILE=profile-foo, before calling start in

jib/jib-core/src/main/java/com/google/cloud/tools/jib/registry/credentials/DockerCredentialHelper.java

Line 134 in 9f4c93c

Process process = processBuilderFactory.apply(credentialHelperCommand).start();

something like

ProcessBuilder processBuilder = processBuilderFactory.apply(credentialHelperCommand);
processBuilder.environment().put("AWS_PROFILE", awsProfile);
Process process = processBuilder.start();

But I have few questions

1. How do we set aws profiile in from and to, Is the below config ok?

jib {
  from {
    image = '0123456789.dkr.ecr.us-east-1.amazonaws.com/my-base-image:latest'
    credHelper = 'ecr-login'
    awsProfile = 'ecr-user1'
  }
  to {
    image = '0123456789.dkr.ecr.us-east-1.amazonaws.com/my-target-image:latest'
    credHelper = 'ecr-login'
    awsProfile = 'ecr-user2'
  }
}

2. How do we get awsProfile in DockerCredentialHelper.java?

[chanseokoh]

@vinod-tahelyani thanks for your interest on this.

What we want is a general way to provide any environment variables when running a credential helper. Maybe something like

jib.from.credHelper {
  helper = 'ecr-login'
  // map property
  environment = [
    AWS_PROFILE: 'ecr-user2',
    FOO: 'bar'
  ]
}

while still maintaining backward compatibility with the current usage: jib.from.credHelper = 'ecr-login'.

[vinod-tahelyani]

@chanseokoh I have linked a PR, which is solution for gradle. Pls look into, if it looks ok then I'll add solution for maven and corresponding test as well.
Thanks

[chanseokoh]

Haven't heard back from @vinod-tahelyani about their PR (#3093) for months. Will close the PR due to inactivity. This issue is again up for a "good first issue", welcoming contributions.

[tobiade]

Hey @chanseokoh I'm happy to pick this up. Will get a PR out soon!

[tobiade]

@chanseokoh I've raised #3575 to fix this - please have a look when you can. Thanks!

[elefeint]

jib-maven-plugin v3.2.1 and jib-gradle-plugin v3.2.1 released.