Im new to packer and would appreciate some help from the community please.
I am creating a golden ami image into aws and one of the requirements is to pull docker images from a private ECR so that the images are baked.
so the way i approach to achieve this is to upload a script into the VM which downloads the image
script that does the following:
export aws credentials (accesskey/secret/token)
login to awscli to login into ecr
docker pull image 1,2,3…
unset the exported credentials
it is all working and good except now i have to put it into github/actions. which then exposes the keys inside my plain text bashscript
what im doing now is trying to SED (update) the githubsecrets into the bashscript which i found kind of difficult to achieve.
is there any other elegant way to achieve this in packer without modifying anything at runtime?
Glad to see another person on the way to removing secrets from code
There are several ways to do this, but many include extra tooling, such as an external secrets store with Vault.
If you’re interested in that, I have an example that you could use to push images to the github container registry:
The easiest way to do this, that is also safe, is to inject the secrets into the template via the environment using the Packer contextual function env. This allows you to:
Declare a template input variable
Define a default for it, which uses env() to look up the value in the environment of the packer process
Or, pass a value via -var on the command line.
You can then store the access key, secret key and token in github actions secrets, and use them in the packer build stage by passing them to the environment
Doing things this way means you have no secrets in your template, or indeed in the repository codebase at all. No just-in-time editing of the template,
which is exactly what you want
For a working example of this, albeit not with the AWS ECR push, but instead push to github container registry, I have
Hi @brucellino1! heaven sent! it worked! really appreciate the help mate.
Your’e codebase really inspired me to learn better patterns. I will definitely refer to this in many future packer projects. thanks a mil!