README
¶
Amazon SSM Docker Credential Helper
The Amazon SSM Docker Credential Helper is a credential helper for the Docker daemon that makes it easier to use AWS EC2 Systems Manager Parameter Store to share credentials for 3rd party private Docker registries such as JFrog Artifactory or Quay.io.
Prerequisites
You must have at least Docker 1.11 installed on your system.
You also must have AWS credentials available in one of the standard locations:
- The
~/.aws/credentialsfile - The
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables - An IAM role for Amazon EC2
- If you are working with an assumed role please set the environment variable:
AWS_SDK_LOAD_CONFIG=truealso.
The Amazon SSM Docker Credential Helper uses the same credentials as the AWS CLI and the AWS SDKs. For more information about configuring AWS credentials, see Configuration and Credential Files in the AWS Command Line Interface User Guide.
The credentials must have a policy applied that allows access to Amazon SSM.
Installing
To build and install the Amazon SSM Docker Credential Helper, we suggest golang
1.6+ and git and make installed on your system.
You can install this via go get with:
go get -u github.com/kindlyops/amazon-ssm-credential-helper/ssm-login/cli/docker-credential-ssm-login
If you already have Docker environment, just clone this repository anywhere
and run make docker. This command builds the binary by Go inside the Docker
container and output it to local directory.
With TARGET_GOOS environment variable, you can also cross compile the binary.
Place the docker-credential-ssm-login binary on your PATH and set the contents
of your ~/.docker/config.json file to be:
{
"credsStore": "ssm-login"
}
This configures the Docker daemon to use the credential helper for all Amazon ECR registries.
With Docker 1.13.0 or greater, you can configure Docker to use different
credential helpers for different registries. To use this credential helper for
a specific ECR registry, create a credHelpers section with the URI of your
ECR registry:
{
"credHelpers": {
"your-private-registry.jfrog.io": "ssm-login"
}
}
This is useful if you use docker to operate on registries that use different
authentication credentials.
Usage
docker pull your-private-registry.jfrog.io/my-repository:my-tag
docker push your-private-registry.jfrog.io/my-repository:my-tag
There is no need to use docker login or docker logout.
Usage with Docker Compose
Note that the current version of Docker Compose (1.14.0 at the time of writing)
does not support credHelpers. See
docker/compose#4948 for more
information. Until this is supported, you need to specify
"credsStore": "ecr-login" as described above. Alternatively, you can manually
pull your images with docker pull <your image>, before running
docker-compose up.
Troubleshooting
Logs from the Amazon SSM Docker Credential Helper are stored in ~/.ssm/log.
For more information about Amazon SSM, see the Amazon Systems Manager Parameter Store documentation.
License
The Amazon SSM Docker Credential Helper is licensed under the Apache 2.0 License.
Directories
¶
| Path | Synopsis |
|---|---|
|
api/mocks
Package mock_ssmiface is a generated GoMock package.
|
Package mock_ssmiface is a generated GoMock package. |
|
cache/mocks
Package mock_cache is a generated GoMock package.
|
Package mock_cache is a generated GoMock package. |
|
mocks
Package mock_api is a generated GoMock package.
|
Package mock_api is a generated GoMock package. |