Skip the AWS_PROFILE= on ECR docker pulls

Uncategorized No Comments »

I keep forgetting to set AWS_PROFILE=production for every docker pull, and I feel dumb when I forget.

Stopping to bang my head on the desk really breaks the “flow state”

…so I did this:

With a .aws/config that looks like:

[profile production]
...
sso_account_id = 234567890123
...
[profile staging]
...
sso_account_id = 123456789012
...

I configured my .docker/config.json like this:

"credHelpers": {
    "123456789012.dkr.ecr.us-west-2.amazonaws.com": "aws-profile-staging",
    "234567890123.dkr.ecr.us-east-2.amazonaws.com": "aws-profile-production"
  },

Finally, a wrapper that looks like this:

#!/bin/bash
# Name this script "docker-credential-aws-profile-{PROFILE}" in the same dir

# trim off the "docker-credential-aws-profile-", 31 chars, keep suffix
export AWS_PROFILE="$(basename $0 |cut -c31-)"

# "ecr-login" is conventionally a binary in PATH "docker-credential-ecr-login"
$(dirname $0)/docker-credential-ecr-login "$@"

So now, when I do a docker pull 123456789012.dkr.ecr.us-west-2.amazonaws.com/images/bazel:5.3.2, docker looks for the credential helper, sees “aws-profile-staging” remaps to /usr/bin/docker-credential-aws-profile-production, which converts the name to “production” and passes execution to /usr/bin/docker-credential-ecr-login with the proper setting for AWS_PROFILE matching my AWS profile. This works the same as if all my credHelpers were “eco-login”, but I don’t need to give the redundant AWS_PROFILE. docker-credential-ecr-login returns the creds from my current active login with AWS, which passes back through the stack to docker, which should cache the value globally for my user across all my shells/terminals rather than being inconsistent.

Works in Bazel too, and shouldn’t add entropy to env to disrupt cache.

WP Theme & Icons by N.Design Studio
Entries RSS Comments RSS Log in