Login to ECR to download Images


Im new to packer and would appreciate some help from the community please.

I am creating a golden ami image into aws and one of the requirements is to pull docker images from a private ECR so that the images are baked.
so the way i approach to achieve this is to upload a script into the VM which downloads the image
script that does the following:

  1. export aws credentials (accesskey/secret/token)
  2. login to awscli to login into ecr
  3. docker pull image 1,2,3…
  4. docker logout
  5. unset the exported credentials

it is all working and good except now i have to put it into github/actions. which then exposes the keys inside my plain text bashscript

what im doing now is trying to SED (update) the githubsecrets into the bashscript which i found kind of difficult to achieve.

is there any other elegant way to achieve this in packer without modifying anything at runtime?

appreciate the help


Glad to see another person on the way to removing secrets from code :clap:

There are several ways to do this, but many include extra tooling, such as an external secrets store with Vault.
If you’re interested in that, I have an example that you could use to push images to the github container registry:

The easiest way to do this, that is also safe, is to inject the secrets into the template via the environment using the Packer contextual function env. This allows you to:

  1. Declare a template input variable
  2. Define a default for it, which uses env() to look up the value in the environment of the packer process
  3. Or, pass a value via -var on the command line.

You can then store the access key, secret key and token in github actions secrets, and use them in the packer build stage by passing them to the environment

Doing things this way means you have no secrets in your template, or indeed in the repository codebase at all. No just-in-time editing of the template,

which is exactly what you want :wink:

For a working example of this, albeit not with the AWS ECR push, but instead push to github container registry, I have

Hope that helps!

Hi @brucellino1! heaven sent! it worked! really appreciate the help mate.
Your’e codebase really inspired me to learn better patterns. I will definitely refer to this in many future packer projects. :smiley: thanks a mil!

1 Like

So glad to be of service :heart: