Accessing ECR inside Docker Plugin

We’ve got some integration tests that run inside the docker plugin. Those integration tests want to pull down some docker images for their own purposes. I’d like to pull them from ECR - the same ECR that the ECR plugin has already authenticated to, but I’ve kind of reached a deadend. (We’re on AWS Stack, instance is x86 Linux, agent is v3.43.1)

         - ecr#v2.7.0:
              login: true
              - "d"
              - "p"
              region: us-west-2
              no-include-email: true
         - docker#v5.3.0:
             image: ""
             command: "./"
             expand-volume-vars: true
               - "/var/run/docker.sock:/var/run/docker.sock"
               - "$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY/.docker/config.json:/root/.docker/config.json"
             propagate-environment: true

On the instance, BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY correctly points to a /tmp/tmp.XXX/ dir with a config.json in it. Infact, if I run env as part of my integration test, the BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY brought in through environment: has the correct /tmp/tmp.XXX path, however, the resolved value used in the volumes: stanza is a different /tmp/tmp.YYYY value.

Is this the correct way to give the docker command, running inside the docker plugin, access to private ECR repositories (as previously authenticated via the ECR plugin)?

This got answered for me elsewhere, but two things:

  1. “$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY” as listed resolves at upload time, not a run time, so it needs to be “$$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY”.
  2. It’s just “$$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY/config.json” (no /.docker needed)
1 Like

Hey! Thanks for letting us know! and glad you were able to get an answer :slight_smile: