Merge pull request #138 from Clever/SECNG-2572

Do role-based ECR login before attempting to build
Clever · May 23, 2024 · 7380812 · 7380812
2 parents de1db1c + adabfe1
commit 7380812
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/circleci/docker-publish b/circleci/docker-publish
@@ -104,7 +104,14 @@ install_awscli
 echo "If necessary, add the ECR_BUILD_ID and ECR_BUILD_SECRET env vars to circle manually."
 echo "They can be found in init-service as CI_ECR_XXX_KEY and CI_ECR_XXX_SECRET."
 if [[ -n $ECR_BUILD_ID ]]; then
-  ecr_login us-west-1 $ECR_BUILD_ID $ECR_BUILD_SECRET
+  if [[ -z $OIDC_ECR_UPLOAD_ROLE ]]; then
+    echo "Logging into ECR in us-west-1 using static credentials..."
+    ecr_login us-west-1 $ECR_BUILD_ID $ECR_BUILD_SECRET
+  else
+    echo "Logging into ECR using role credentials..."
+    assume_role_with_web_identity $OIDC_ECR_UPLOAD_ROLE $AWS_ECR_PROFILE 
+    ecr_login_with_profile $ECR_REGION_US_WEST_1
+  fi
 fi
 
 if [ -z "$(docker images -q $ORG/$REPO:$SHORT_SHA)" ]; then