Add ECR as a first-class source

[atrauzzi]

I would like to use a docker image for my build pipelines, but unfortunately I have no way of automating authentication in the pipeline prior the the container being downloaded.

The 12 hour key restriction for ECR makes it basically impossible to use containers from ECR for my builds.

[stevejroberts]

Can you explain a little more what you're looking for? Is it a task to handle authentication to ECR 'on demand' so you don't run into a 12 hour expiry but get a fresh token each build? Or something else?

[atrauzzi]

Right! So when I use ECR as a source for the container that Azure Devops executes all its commands through, I have no way of configuring it to avoid getting snagged by that 12 hour restriction.

So, in my yaml I have:

resources:
  containers:
  - container: "build-image"
    endpoint: "build-image"
    image: "[REDACTED].azurecr.io/[REDACTED]/build-image:latest"

jobs:

  - job: "code"

    pool:
      vmImage: 'Ubuntu 16.04'

    container: "build-image"

I switched to using Azure's container registry because it has passwords that don't expire after 12 hours. That connection is configured as a first class connection in the project settings of Azure Devops. I'm thinking for AWS to be satisfied, it needs to provide a container registry type that does the song & dance to acquire tokens on the fly when being accessed.

[atrauzzi]

Sidenote: I understand why AWS does this, obviously long lived tokens like this are not great for security. But the ecosystem is not aware of any conventions AWS chooses to layer overtop, which causes situations like this.

[sukoneck]

same here.