FR: support for AWS profiles for ecr helper

[luke-flow]

Hello!

I have a usecase for rules_oci to pull from a private ECR repository. One option is to have all my users define AWS_PROFILE env var before running Bazel, but this is awkward for the following reasons:

• Breaks the build for users that forget to set it.
• Does not work for multiple ECR registries with different profiles.

This is because in addition to the credential_helper, rules_oci also reads the default Docker credential helper configuration in

rules_oci/oci/private/authn.bzl

Lines 116 to 119 in 7de244c

	content = """\
	#!/usr/bin/env bash
	exec "docker-credential-{}" get <<< "$1" """.format(helper_name),
	)

I would like to discuss if there is a way to cleanly add support for this, I would be happy to contribute a PR if we can agree on what the interface should look like. Locally I am patching this with a very naive approach:

rules_oci_env_pull.patch for which I then set the profile in my pull:

oci.pull(
    auth_env = {
        "AWS_PROFILE": "my-super-secret-profile",
    },
)

Let me know what you think!

[thesayyn]

It's an interesting addition, we already support Bazel wide profiles with --client_env=AWS_PROFILE= but i never thought of per oci_pull counterpart. PRs are welcome for addition like this.

[plobsing]

This is because in addition to the credential_helper, rules_oci also reads the default Docker credential helper configuration in

rules_oci/oci/private/authn.bzl

FYI, that behaviour can be suppressed by passing an empty JSON document as a Docker config

---

MODULE.bazel

oci.pull(
    # ...
    config = ":empty.json",
    # ...
)

empty.json

{}

---

The way I've done it, it does add one line per pull. I believe it could also be achieved repo-wide by adding --repo_env=DOCKER_CONFIG=some/dir/containing/empty_config to the repo's .bazelrc, but I don't have experience doing things that way yet.