search

CircleCI-Public / aws-ecr-orb

CircleCI orb for interacting with Amazon's Elastic Container Registry (ECR)
https://circleci.com/orbs/registry/orb/circleci/aws-ecr
MIT License
80 stars 142 forks source link

Improve docs around `auth` parameter for 9.x release #299

Closed ghost closed 11 months ago

ghost commented 1 year ago

What would you like to be added

Show a clear minimal example how to simply use a set of access keys to run the orb.

Why is this needed

Since providing access keys directly was removed in the 9.x release, the current examples don't make it clear how to replicate the same behavior with 9.x. Assuming AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are set, is it as simple as providing aws-cli/setup under auth without any further config passed to it, or do other things still need to be specified on top of that?

stefansundin commented 1 year ago

is it as simple as providing aws-cli/setup under auth without any further config passed to it

It was for me. :+1:

I really wish the changelog was way better.. this issue bit me and the fact that ecr-login has been renamed to ecr_login. One of the worst changelogs I've ever seen to be honest.

hmmmsausages commented 11 months ago

Agree that the lack of a proper migration guide is kinda disappointing. By reading through PRs and orb documentation I got it working in the end.

Perhaps someone else finds this useful:

v8 configuration of build-and-push-image step:

version: 2.1

orbs:
  aws-ecr: circleci/aws-ecr@8.0.0

workflows:
  push_to_ecr:
    jobs:

  - aws-ecr/build-and-push-image:
        public-registry: false
        push-image: true
        region: us-east-1
        repo: my-sweet-app
        tag: latest
        aws-access-key-id: DEV_AWS_ACCESS_KEY_ID
        aws-secret-access-key: DEV_AWS_SECRET_ACCESS_KEY
        registry-id: DEV_AWS_ECR_REGISTRY_ID

DEV_AWS_ACCESS_KEY_ID, DEV_AWS_SECRET_ACCESS_KEY are the names of the environment variable that hold the values for the AWS access key ID and secret access key respectively. DEV_AWS_ECR_REGISTRY_ID is the name of the environment variable that holds the value of the ECR registry ID, which is the same as the AWS account ID.

v9 configuration of build_and_push_image step:

version: 2.1

orbs:
  aws-cli: circleci/aws-cli@4.1.2
  aws-ecr: circleci/aws-ecr@9.0.1

workflows:
  push_to_ecr:
    jobs:
     - aws-ecr/build_and_push_image:
          public_registry: false
          push_image: true
          region: us-east-1
          repo: my-sweet-app
          tag: latest
          auth:
            - aws-cli/setup:
                aws_access_key_id: DEV_AWS_ACCESS_KEY_ID
                aws_secret_access_key: DEV_AWS_SECRET_ACCESS_KEY
          account_id: $DEV_AWS_ECR_REGISTRY_ID

Things that needed to change:

  1. AWS authentication setup is now done via the circleci/aws-cli orb. (See docs)
  2. registry-id is now account_id, and the value of it should be the actual value for the registry ID / account ID, i.e. not as previously the name of the environment variable that holds the value. So DEV_AWS_ECR_REGISTRY_ID turns into $DEV_AWS_ECR_REGISTRY_ID
  3. All remaining config properties seem to mostly be the same, just the casing has changed from kebab-case to snake_case.

I think ultimately the idea behind this change was to shift the responsibility of all authentication to the aws-cli orb, which is way more flexible and allows also authentication via short-lived tokens instead of long-lived access keys.