feat(ENV): allow the default registry when no match

While not "officially" supported, it is possible to alias an ECR registry with DNS (eg ecr.example.io). This change adds support for the AWS_ECR_USE_DEFAULT_REGISTRY environment variable which, when set to a non-empty value, will force this tool to use the default registry when authenticating.
awslabs · Sep 18, 2024 · 378cc07 · 378cc07
1 parent bef5bd9
commit 378cc07
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -142,7 +142,7 @@ A community-maintained package is available in the [Alpine Linux aports Reposito
 ```bash
 $ apk add docker-credential-ecr-login
 ```
-> [!NOTE] 
+> [!NOTE]
 > Badge only shows edge, check [repository](https://pkgs.alpinelinux.org/packages?name=docker-credential-ecr-login) for stable releases or add `--repository=http://dl-cdn.alpinelinux.org/alpine/edge/community`
 
 Once you have installed the credential helper, see the
@@ -219,7 +219,7 @@ contents of your `~/.docker/config.json` file to be:
 This configures the Docker daemon to use the credential helper for all Amazon
 ECR registries.
 
-The Amazon ECR Docker Credential Helper can be used alongside your existing docker login authentication tokens: 
+The Amazon ECR Docker Credential Helper can be used alongside your existing docker login authentication tokens:
 
 ```json
 {
@@ -293,6 +293,7 @@ The credentials must have a policy applied that
 | AWS_ECR_DISABLE_CACHE        | true          | Disables the local file auth cache if set to a non-empty value     |
 | AWS_ECR_CACHE_DIR            | ~/.ecr        | Specifies the local file auth cache directory location             |
 | AWS_ECR_IGNORE_CREDS_STORAGE | true          | Ignore calls to docker login or logout and pretend they succeeded  |
+| AWS_ECR_USE_DEFAULT_REGISTRY | true          | Uses the default registry when the provided one cannot be parsed   |
 
 ## Usage
 
@@ -335,7 +336,7 @@ If you test any experimental feaures, you can give feedback via the feature's tr
 * Suggested improvements
 
 Experimental features are incomplete in design and implementation. Backwards incompatible
-changes may be introduced at any time or support dropped entirely. Therefore experimental 
+changes may be introduced at any time or support dropped entirely. Therefore experimental
 features are **not recommended** for use in production environments.
 
 ## Security disclosures

diff --git a/ecr-login/api/client.go b/ecr-login/api/client.go
@@ -18,6 +18,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/url"
+	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -37,7 +38,10 @@ const (
 	ecrPublicEndpoint   = proxyEndpointScheme + ecrPublicName
 )
 
-var ecrPattern = regexp.MustCompile(`^(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`)
+var (
+	ecrPattern = regexp.MustCompile(`^(\d{12})\.dkr\.ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.com(\.cn)?|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`)
+	ecrUseDefaultRegistry = os.Getenv("AWS_ECR_USE_DEFAULT_REGISTRY")
+)
 
 type Service string
 
@@ -69,7 +73,14 @@ func ExtractRegistry(input string) (*Registry, error) {
 		}, nil
 	}
 	matches := ecrPattern.FindStringSubmatch(serverURL.Hostname())
-	if len(matches) == 0 {
+	if len(matches) == 0 && ecrUseDefaultRegistry != "" {
+		return &Registry{
+			Service: ServiceECR,
+			ID:      "",
+			FIPS:    false,
+			Region:  "",
+		}, nil
+	} else if len(matches) == 0 {
 		return nil, fmt.Errorf(programName + " can only be used with Amazon Elastic Container Registry.")
 	} else if len(matches) < 3 {
 		return nil, fmt.Errorf("%q is not a valid repository URI for Amazon Elastic Container Registry.", input)