Newer
Older
# =====================================================================================================================
# === AWS Auth template variant
# =====================================================================================================================
variables:
TBC_AWS_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/aws-auth-provider:master"
AWS_OIDC_AUD: "$CI_SERVER_URL"
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "5.5.4"]
- name: "$TBC_AWS_AUTH_PROVIDER"
alias: "aws-auth-provider"
id_tokens:
# required for OIDC auth
AWS_JWT:
aud: "$AWS_OIDC_AUD"
variables:
# DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://aws-auth-provider/ecr/auth/username?env_ctx=SNAPSHOT"
# DOCKER_REGISTRY_RELEASE_USER: "@url@http://aws-auth-provider/ecr/auth/username?env_ctx=RELEASE"
DOCKER_REGISTRY_SNAPSHOT_USER: "AWS" # GetAuthorizationToken API always generate token for user 'AWS'
DOCKER_REGISTRY_RELEASE_USER: "AWS" # GetAuthorizationToken API always generate token for user 'AWS'
DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://aws-auth-provider/ecr/auth/password?env_ctx=SNAPSHOT"
DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://aws-auth-provider/ecr/auth/password?env_ctx=RELEASE"
# secrets have to be explicitly declared in the YAML to be exported to the service
AWS_JWT: "$AWS_JWT"
# can't use AWS_ACCESS_KEY_ID as it is read by boto3
AWS_DEFAULT_ACCESS_KEY_ID: "$AWS_ACCESS_KEY_ID"
# can't use AWS_SECRET_ACCESS_KEY as it is read by boto3
AWS_DEFAULT_SECRET_ACCESS_KEY: "$AWS_SECRET_ACCESS_KEY"
AWS_SNAPSHOT_ACCESS_KEY_ID: "$AWS_SNAPSHOT_ACCESS_KEY_ID"
AWS_SNAPSHOT_SECRET_ACCESS_KEY: "$AWS_SNAPSHOT_SECRET_ACCESS_KEY"
AWS_RELEASE_ACCESS_KEY_ID: "$AWS_RELEASE_ACCESS_KEY_ID"
AWS_RELEASE_SECRET_ACCESS_KEY: "$AWS_RELEASE_SECRET_ACCESS_KEY"