Using secrets from the drone registry plugin

peregrinator · November 14, 2019, 5:56pm

I’ve set up a drone registry plugin following the instructions here: https://github.com/drone/drone-registry-plugin. I can verify with the drone cli that there is a username and password set for my ECR repository.

I’ve also configured my drone docker runner (drone/drone-runner-docker:latest) with the DRONE_REGISTRY_PLUGIN_ENDPOINT and DRONE_REGISTRY_PLUGIN_TOKEN env variables.

However I can’t seem to find the correct way to reference these when running my pipeline steps. I’m just getting auth failures when using ‘plugins/docker’.

Can someone point me in the right direction?
Thanks!

bradrydzewski · November 14, 2019, 10:31pm

the registry plugin is used to pull private images required to run your pipeline steps:

image: <image>

the registry plugin does not expose registry credentials to your pipeline or to your pipeline steps, which means the Docker plugin does not have access to these credentials. This is by design. If you want to globally expose secrets to a plugin you can use organization secrets (https://docs.drone.io/configure/secrets/organization/).

peregrinator · November 14, 2019, 10:49pm

OK I think I understand that. How would one use organization secrets with AWS ECR where the keys expire on a regular basis? The Dockerfile I am trying to build references a private base image as the FROM image and I am getting errors trying to pull it.

bradrydzewski · November 14, 2019, 10:51pm

you would use plugins/ecr which you provide an aws access key and secret key, which are used to generate fresh login credentials.

http://plugins.drone.io/drone-plugins/drone-ecr/

peregrinator · November 15, 2019, 12:11am

I went ahead and used the plugins/ecr as my first step and it builds and pushes the new image as expected.

However in the next step where I’d like to run my tests I’m getting basic auth failures. Maybe I misunderstood but I thought this is where the registry plugin would have provided the correct credentials for pulling the private image.

My drone.yml looks like this:

---
kind: pipeline
type: docker
name: test

steps:
- name: build
  image: plugins/ecr
  settings:
    access_key:
      from_secret: aws_access_key_id
    secret_key:
      from_secret: aws_secret_access_key
    repo: example.com/example-api
    registry: 123456789.dkr.ecr.us-east-1.amazonaws.com
    cache_from:
    - 123456789.dkr.ecr.us-east-1.amazonaws.com/example.com/example-api:latest
    - 123456789.dkr.ecr.us-east-1.amazonaws.com/example.com/example-api:${DRONE_BRANCH}
    tags:
    - ${DRONE_COMMIT_BRANCH}
    - ${DRONE_COMMIT_SHA:0:7}
- name: test
  image: 123456789.dkr.ecr.us-east-1.amazonaws.com/example.com/example-api:${DRONE_COMMIT_SHA:0:7}
  commands:
  - cd /home/app
  - rspec spec

peregrinator · November 15, 2019, 8:17pm

If it’s useful the error I’m getting is:

drone-runner: Error response from daemon: Get https://123456789.dkr.ecr.us-east-1.amazonaws.com/example.com/example-api/manifests/5d00b78: no basic auth credentials

Topic		Replies	Views
Authenticating AWS ECR with drone registry plugin Drone Support	2	770	April 26, 2022
Permission denied using plugins/docker with global registry credentials Drone Support	4	944	May 7, 2018
Drone 1.0 and AWS ECR going forward Drone Support	21	4291	June 2, 2021
New Docker Runner breaks the registry plugin Drone Bugs	10	1393	February 1, 2020
Amazon ECR auth help pulls in first stage but fails to use the pulled image in the second/ Drone Support	8	1086	June 10, 2019

Using secrets from the drone registry plugin

Related topics