DockerCredential

class aws_cdk.pipelines.DockerCredential(usages=None)

Bases: object

Represents credentials used to access a Docker registry.

ExampleMetadata

infused

Example:

docker_hub_secret = secretsmanager.Secret.from_secret_complete_arn(self, "DHSecret", "arn:aws:...")
custom_reg_secret = secretsmanager.Secret.from_secret_complete_arn(self, "CRSecret", "arn:aws:...")
repo1 = ecr.Repository.from_repository_arn(self, "Repo", "arn:aws:ecr:eu-west-1:0123456789012:repository/Repo1")
repo2 = ecr.Repository.from_repository_arn(self, "Repo", "arn:aws:ecr:eu-west-1:0123456789012:repository/Repo2")

pipeline = pipelines.CodePipeline(self, "Pipeline",
    docker_credentials=[
        pipelines.DockerCredential.docker_hub(docker_hub_secret),
        pipelines.DockerCredential.custom_registry("dockerregistry.example.com", custom_reg_secret),
        pipelines.DockerCredential.ecr([repo1, repo2])
    ],
    synth=pipelines.ShellStep("Synth",
        input=pipelines.CodePipelineSource.connection("my-org/my-app", "main",
            connection_arn="arn:aws:codestar-connections:us-east-1:222222222222:connection/7d2469ff-514a-4e4f-9003-5ca4a43cdc41"
        ),
        commands=["npm ci", "npm run build", "npx cdk synth"]
    )
)
Parameters

usages (Optional[Sequence[DockerCredentialUsage]]) –

Methods

abstract grant_read(grantee, usage)

Grant read-only access to the registry credentials.

This grants read access to any secrets, and pull access to any repositories.

Parameters
Return type

None

Static Methods

classmethod custom_registry(registry_domain, secret, *, assume_role=None, secret_password_field=None, secret_username_field=None, usages=None)

Creates a DockerCredential for a registry, based on its domain name (e.g., ‘www.example.com’).

Parameters
  • registry_domain (str) –

  • secret (ISecret) –

  • assume_role (Optional[IRole]) – An IAM role to assume prior to accessing the secret. Default: - none. The current execution role will be used.

  • secret_password_field (Optional[str]) – The name of the JSON field of the secret which contains the secret/password. Default: ‘secret’

  • secret_username_field (Optional[str]) – The name of the JSON field of the secret which contains the user/login name. Default: ‘username’

  • usages (Optional[Sequence[DockerCredentialUsage]]) – Defines which stages of the pipeline should be granted access to these credentials. Default: - all relevant stages (synth, self-update, asset publishing) are granted access.

Return type

DockerCredential

classmethod docker_hub(secret, *, assume_role=None, secret_password_field=None, secret_username_field=None, usages=None)

Creates a DockerCredential for DockerHub.

Convenience method for customRegistry('https://index.docker.io/v1/', opts).

Parameters
  • secret (ISecret) –

  • assume_role (Optional[IRole]) – An IAM role to assume prior to accessing the secret. Default: - none. The current execution role will be used.

  • secret_password_field (Optional[str]) – The name of the JSON field of the secret which contains the secret/password. Default: ‘secret’

  • secret_username_field (Optional[str]) – The name of the JSON field of the secret which contains the user/login name. Default: ‘username’

  • usages (Optional[Sequence[DockerCredentialUsage]]) – Defines which stages of the pipeline should be granted access to these credentials. Default: - all relevant stages (synth, self-update, asset publishing) are granted access.

Return type

DockerCredential

classmethod ecr(repositories, *, assume_role=None, usages=None)

Creates a DockerCredential for one or more ECR repositories.

NOTE - All ECR repositories in the same account and region share a domain name (e.g., 0123456789012.dkr.ecr.eu-west-1.amazonaws.com), and can only have one associated set of credentials (and DockerCredential). Attempting to associate one set of credentials with one ECR repo and another with another ECR repo in the same account and region will result in failures when using these credentials in the pipeline.

Parameters
  • repositories (Sequence[IRepository]) –

  • assume_role (Optional[IRole]) – An IAM role to assume prior to accessing the secret. Default: - none. The current execution role will be used.

  • usages (Optional[Sequence[DockerCredentialUsage]]) – Defines which stages of the pipeline should be granted access to these credentials. Default: - all relevant stages (synth, self-update, asset publishing) are granted access.

Return type

DockerCredential