Merge pull request #114 from Flydiverny/fix-ec2-instance-credentials

fix(ecr): use ec2 instance credentials when no credentials are provided

__tests__/docker.test.ts

@@ -1,4 +1,5 @@
-import {loginStandard, logout} from '../src/docker';
+import {loginECR, loginStandard, logout} from '../src/docker';
+import * as aws from '../src/aws';
 
 import * as path from 'path';
 
@@ -47,3 +48,78 @@ test('logout calls exec', async () => {
     ignoreReturnCode: true
   });
 });
+
+test('loginECR sets AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if username and password is set', async () => {
+  const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
+  execSpy.mockImplementation(() => Promise.resolve([]));
+  jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
+  jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
+  jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);
+
+  const username: string = 'dbowie';
+  const password: string = 'groundcontrol';
+  const registry: string = 'https://ghcr.io';
+
+  await loginECR(registry, username, password);
+
+  expect(process.env.AWS_ACCESS_KEY_ID).toEqual(username);
+  expect(process.env.AWS_SECRET_ACCESS_KEY).toEqual(password);
+});
+
+test('loginECR keeps AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if set', async () => {
+  const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
+  execSpy.mockImplementation(() => Promise.resolve([]));
+  jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
+  jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
+  jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);
+
+  process.env.AWS_ACCESS_KEY_ID = 'banana';
+  process.env.AWS_SECRET_ACCESS_KEY = 'supersecret';
+
+  await loginECR('ecr.aws', '', '');
+
+  expect(process.env.AWS_ACCESS_KEY_ID).toEqual('banana');
+  expect(process.env.AWS_SECRET_ACCESS_KEY).toEqual('supersecret');
+});
+
+test('loginECR overrides AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if username and password set', async () => {
+  const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
+  execSpy.mockImplementation(() => Promise.resolve([]));
+  jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
+  jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
+  jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);
+
+  process.env.AWS_ACCESS_KEY_ID = 'banana';
+  process.env.AWS_SECRET_ACCESS_KEY = 'supersecret';
+  const username = 'myotheruser';
+  const password = 'providedpassword';
+
+  await loginECR('ecr.aws', username, password);
+
+  expect(process.env.AWS_ACCESS_KEY_ID).toEqual(username);
+  expect(process.env.AWS_SECRET_ACCESS_KEY).toEqual(password);
+});
+
+test('loginECR does not set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY if not set', async () => {
+  const execSpy: jest.SpyInstance = jest.spyOn(aws, 'getDockerLoginCmds');
+  execSpy.mockImplementation(() => Promise.resolve([]));
+  jest.spyOn(aws, 'getCLI').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getCLIVersion').mockImplementation(() => Promise.resolve(''));
+  jest.spyOn(aws, 'getRegion').mockImplementation(() => '');
+  jest.spyOn(aws, 'getAccountIDs').mockImplementation(() => []);
+  jest.spyOn(aws, 'isPubECR').mockImplementation(() => false);
+
+  delete process.env.AWS_ACCESS_KEY_ID;
+  delete process.env.AWS_SECRET_ACCESS_KEY;
+
+  await loginECR('ecr.aws', '', '');
+
+  expect('AWS_ACCESS_KEY_ID' in process.env).toEqual(false);
+  expect('AWS_SECRET_ACCESS_KEY' in process.env).toEqual(false);
+});

src/docker.ts

@@ -62,8 +62,12 @@ export async function loginECR(registry: string, username: string, password: str
     core.info(`AWS ECR detected with ${region} region`);
   }
 
-  process.env.AWS_ACCESS_KEY_ID = username || process.env.AWS_ACCESS_KEY_ID;
-  process.env.AWS_SECRET_ACCESS_KEY = password || process.env.AWS_SECRET_ACCESS_KEY;
+  if (username) {
+    process.env.AWS_ACCESS_KEY_ID = username;
+  }
+  if (password) {
+    process.env.AWS_SECRET_ACCESS_KEY = password;
+  }
 
   core.info(`Retrieving docker login command through AWS CLI ${cliVersion} (${cliPath})...`);
   const loginCmds = await aws.getDockerLoginCmds(cliVersion, registry, region, accountIDs);