Login to ECR to download Images

yancomia · December 1, 2022, 2:48am

Hello,

Im new to packer and would appreciate some help from the community please.

I am creating a golden ami image into aws and one of the requirements is to pull docker images from a private ECR so that the images are baked.
so the way i approach to achieve this is to upload a script into the VM which downloads the image
script that does the following:

export aws credentials (accesskey/secret/token)
login to awscli to login into ecr
docker pull image 1,2,3…
docker logout
unset the exported credentials

it is all working and good except now i have to put it into github/actions. which then exposes the keys inside my plain text bashscript

what im doing now is trying to SED (update) the githubsecrets into the bashscript which i found kind of difficult to achieve.

is there any other elegant way to achieve this in packer without modifying anything at runtime?

appreciate the help
thanks

brucellino1 · December 1, 2022, 8:08am

Hi!

Glad to see another person on the way to removing secrets from code

There are several ways to do this, but many include extra tooling, such as an external secrets store with Vault.
If you’re interested in that, I have an example that you could use to push images to the github container registry:

github.com

brucellino/packer-templates/blob/baf0c5fc2e2aa47cd5a9cdb371d4777cad495355/ubuntu-server/ubuntu_server_amd64.pkr.hcl

packer {
  required_version = ">=1.7.0"
}

variable "version" {
  type        = string
  description = "Internal version of the image"
  default     = "latest"
}

locals {
  docker_password = vault("kv/data/github", "ghcr_token")
}

source "docker" "ubuntu2004" {
  image  = "ubuntu:20.04"
  commit = true
  changes = [
    "USER ubuntu",
    "LABEL version=${var.version}",

This file has been truncated. show original

The easiest way to do this, that is also safe, is to inject the secrets into the template via the environment using the Packer contextual function env. This allows you to:

Declare a template input variable
Define a default for it, which uses env() to look up the value in the environment of the packer process
Or, pass a value via -var on the command line.

You can then store the access key, secret key and token in github actions secrets, and use them in the packer build stage by passing them to the environment

Doing things this way means you have no secrets in your template, or indeed in the repository codebase at all. No just-in-time editing of the template,

which is exactly what you want

For a working example of this, albeit not with the AWS ECR push, but instead push to github container registry, I have

github.com

brucellino/ansible-role-consul/blob/273d58cd8f94207a456a9a08c652176925baefcc/.github/build/consul.pkr.hcl

packer {
  required_plugins {
    ansible = {
      source  = "github.com/hashicorp/ansible"
      version = "v1.0.3"
    }
    docker = {
      source  = "github.com/hashicorp/docker"
      version = "v1.0.5"
    }
    arm = {
      source  = "github.com/cdecoux/builder-arm"
      version = "1.0.0"
    }
  }
  required_version = ">=1.7.0, <2.0.0"
}

variable "roles_path" {
  type = string

This file has been truncated. show original

Hope that helps!

yancomia · December 2, 2022, 1:59am

Hi @brucellino1! heaven sent! it worked! really appreciate the help mate.
Your’e codebase really inspired me to learn better patterns. I will definitely refer to this in many future packer projects. thanks a mil!

brucellino1 · December 2, 2022, 4:21pm

So glad to be of service

Topic		Replies	Views
AWS secrets in packer HCL template with vault function Packer vault	2	719	June 17, 2022
Can't pull images from a private repo on ECR - official documentation won't work Nomad	2	756	November 24, 2022
Post-processors: FAILS to push image to ECR Packer	0	316	October 9, 2023
Docker source filter - similar to `source_ami_filter`? Packer	1	354	August 16, 2021
Inputting Access_Key and Secret Key variables for AMI build using Packer container does not work with AWS Packer	5	3165	May 26, 2021

Login to ECR to download Images

Related topics