-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(codebuild): allow specifying principals and credentials for pulling build images #3049
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have some minor comments after the initial pass, but one big concern.
I see the implementation of LinuxBuildImage/WindowsBuildImage
's fromAsset
methods changed significantly. This is also reflected in the changes to the integ.ecr.lit.expect.json
file (which should be rare). Can you post a rationale for doing these changes? Is this a difference in the behavior of CodeBuild's backend, that makes the current implementation possible? Or was just the "old" behavior always incorrect, in your mind? I would love to hear some details about this.
packages/@aws-cdk/aws-codebuild/test/integ.docker-registry.lit.ts
Outdated
Show resolved
Hide resolved
We want customers to use their own service role to pull ECR images instead of using codebuild's service role. Therefore, we need to move the role policy from customers ECR repo to their service role. Looks like I do make a mistake that policy was not added to customers service role correctly. I will update this PR later to fix it. |
fb6c5fb
to
a6cc355
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
Can you please fix the PR title and follow the contribution guidelines with a clear description of what this PR is doing (not just a reference to an issue, but description of how you solved it)?
Also, would it make sense to also update the ECS module to use the same terminology (@rix0rrr)
a6cc355
to
ee51df2
Compare
ce6c01f
to
c85f204
Compare
c85f204
to
47de059
Compare
e182467
to
cad83dc
Compare
@eladb submitted a new revision which (I believe) addresses all your comments. Please re-review when you have a second. Thanks! |
…ing build images. When using an image that is hosted in a private Docker registry, you have to pass the appropriate credentials in order to authenticate against that registry. This change allows passing those credentials when creating a custom build image. It also introduces the concept of the principal that CodeBuild will use to pull the image - previously, CodeBuild would always use its own identity when pulling images, which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal. Now, the default is to use the project's role when doing the pull of the image. Fixes aws#2175 BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry() * codebuild.WindowsBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
cad83dc
to
e218f9d
Compare
When using an image that is hosted in a private Docker registry,
you have to pass the appropriate credentials in order to authenticate against that registry.
This change allows passing those credentials when creating a custom build image.
It also introduces the concept of the principal that CodeBuild will use to pull the image -
previously, CodeBuild would always use its own identity when pulling images,
which meant using it with an ECR-hosted image required changing the resource policy of the repository to trust CodeBuild's service principal.
Now, the default is to use the project's role when doing the pull of the image.
Fixes #2175
BREAKING CHANGE: codebuild.LinuxBuildImage.fromDockerHub() has been renamed to fromDockerRegistry()
Pull Request Checklist
design
folderBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license