We’ve got some integration tests that run inside the docker plugin. Those integration tests want to pull down some docker images for their own purposes. I’d like to pull them from ECR - the same ECR that the ECR plugin has already authenticated to, but I’ve kind of reached a deadend. (We’re on AWS Stack, instance is x86 Linux, agent is v3.43.1)
plugins:
- ecr#v2.7.0:
login: true
account_ids:
- "d"
- "p"
region: us-west-2
no-include-email: true
- docker#v5.3.0:
image: "d.dkr.ecr.us-west-2.amazonaws.com/imagename"
command: "./run-integration-tests.sh"
expand-volume-vars: true
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY/.docker/config.json:/root/.docker/config.json"
propagate-environment: true
...
environment:
- "BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY"
On the instance, BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY correctly points to a /tmp/tmp.XXX/ dir with a config.json in it. Infact, if I run env as part of my integration test, the BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY brought in through environment: has the correct /tmp/tmp.XXX path, however, the resolved value used in the volumes: stanza is a different /tmp/tmp.YYYY value.
Is this the correct way to give the docker command, running inside the docker plugin, access to private ECR repositories (as previously authenticated via the ECR plugin)?
