Last active
October 20, 2021 15:07
-
-
Save philpennock/794ec035bf371d2b63948887d11f3e02 to your computer and use it in GitHub Desktop.
This is an extract from an image build script I have, showing how I handle docker creds expiration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -euo pipefail | |
progname="$(basename "$0" .sh)" | |
note() { printf >&2 '%s: %s\n' "$progname" "$*"; } | |
# ... | |
# This bit happens _after_ the build, before the push, so that the time remaining in credentials doesn't need to | |
# account for build duration | |
readonly aws_ecr='public.ecr.aws' | |
# [there is a conditional here, not germane to the example, thus the indent] | |
# This is an assumption that we're on GNU/Linux with the keyring tools installed, and then | |
# ~/.docker/config.json having "credsStore": "secretservice" | |
# With other setups, this will need to find the current credentials another way. | |
exp_time="$(secret-tool lookup docker_cli 1 server "$aws_ecr" | base64 -d | jq -r .expiration)" || true | |
need_login=false | |
if [[ -z "$exp_time" ]]; then | |
note "No docker credentials for server $aws_ecr" | |
need_login=true | |
elif (( EPOCHSECONDS + 600 > exp_time )); then | |
if (( EPOCHSECONDS > exp_time )); then | |
note "Docker credentials EXPIRED for server $aws_ecr" | |
else | |
note "Docker credentials EXPIRING SOON for server $aws_ecr" | |
fi | |
# 10 minutes remaining lifetime seems reasonable, we've already built. | |
need_login=true | |
fi | |
if "$need_login"; then | |
note "Invoking aws|docker login chain" | |
# ECR login is _always_ us-east-1 | |
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin "$aws_ecr" | |
else | |
# BEWARE: assumption of GNU date(1), this doesn't handle BSD date(1) | |
note "Docker credentials for $aws_ecr seem fine [expire: $(date -d "@$exp_time" --iso-8601=seconds)]" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment