You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Recently I've been integrating Kamal with our infrastructure, and I've run into a use-case that might be interesting to add to Kamal.
Currently, we are deploying to a set of hosts on AWS. Each of these hosts use something called instance roles ( delegated permissions for all AWS operations on that particular EC2 instance - in short, "if I want to do something with an AWS service, the authentication is performed for me automatically based on rules I've specified elsewhere" ). Along with this, these hosts are using something called ECR Credentials Helper, a script that uses an instance's IAM credentials to automatically authenticate with an ECR repository such that a command like this:
docker run -it <ecr-repo>/my_image /bin/bash
does not require a prior docker login, as the instance is "already" authenticated with ECR by virtue of its IAM role.
Which, all to say, puts us in a slightly weird situation with Kamal. In this situation, I have some contexts ( namely, local ) where I absolutely do want Kamal to login to the registry. The user building the docker image should be authenticating. However, in some other contexts, I do not want Kamal to login to the registry, as the instance has already been authenticated according to its IAM role. ( I should note here that while, ideally, docker login being applied on the EC2 server should work as it always did, the presence of the credentials helper actually causes the docker login command to fail. )
In any case, I was able to hack together a solution for my use case that allowed me to only perform a docker login when running locally, but assume that docker commands on the remote side happened within a trusted environment.
Since this is kind of a weird case, I'm happy to maintain my hack, but also, I could see an argument that other folks would want to similarly be able to specify something like "docker login credentials WHEN LOCAL" v. "docker login credentials WHEN REMOTE", up to and including "there are no docker login credentials at all, so do not attempt to authenticate with the registry".
If any of what I said above seems like an acceptable feature for Kamal, I'd be happy to provide a PR, but would love to know whether or not this is something that would be likely to be accepted before I put in any work here.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
Recently I've been integrating Kamal with our infrastructure, and I've run into a use-case that might be interesting to add to Kamal.
Currently, we are deploying to a set of hosts on AWS. Each of these hosts use something called instance roles ( delegated permissions for all AWS operations on that particular EC2 instance - in short, "if I want to do something with an AWS service, the authentication is performed for me automatically based on rules I've specified elsewhere" ). Along with this, these hosts are using something called ECR Credentials Helper, a script that uses an instance's IAM credentials to automatically authenticate with an ECR repository such that a command like this:
docker run -it <ecr-repo>/my_image /bin/bash
does not require a prior docker login, as the instance is "already" authenticated with ECR by virtue of its IAM role.
Which, all to say, puts us in a slightly weird situation with Kamal. In this situation, I have some contexts ( namely, local ) where I absolutely do want Kamal to login to the registry. The user building the docker image should be authenticating. However, in some other contexts, I do not want Kamal to login to the registry, as the instance has already been authenticated according to its IAM role. ( I should note here that while, ideally,
docker login
being applied on the EC2 server should work as it always did, the presence of the credentials helper actually causes the docker login command to fail. )In any case, I was able to hack together a solution for my use case that allowed me to only perform a docker login when running locally, but assume that docker commands on the remote side happened within a trusted environment.
Since this is kind of a weird case, I'm happy to maintain my hack, but also, I could see an argument that other folks would want to similarly be able to specify something like "docker login credentials WHEN LOCAL" v. "docker login credentials WHEN REMOTE", up to and including "there are no docker login credentials at all, so do not attempt to authenticate with the registry".
If any of what I said above seems like an acceptable feature for Kamal, I'd be happy to provide a PR, but would love to know whether or not this is something that would be likely to be accepted before I put in any work here.
Beta Was this translation helpful? Give feedback.
All reactions