diff --git a/cmd/drone-ecr/main.go b/cmd/drone-ecr/main.go index 9de37a1d..07450c32 100644 --- a/cmd/drone-ecr/main.go +++ b/cmd/drone-ecr/main.go @@ -37,6 +37,7 @@ func main() { lifecyclePolicy = getenv("PLUGIN_LIFECYCLE_POLICY") repositoryPolicy = getenv("PLUGIN_REPOSITORY_POLICY") assumeRole = getenv("PLUGIN_ASSUME_ROLE") + externalId = getenv("PLUGIN_EXTERNAL_ID") scanOnPush = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH")) ) @@ -57,7 +58,7 @@ func main() { log.Fatal(fmt.Sprintf("error creating aws session: %v", err)) } - svc := getECRClient(sess, assumeRole) + svc := getECRClient(sess, assumeRole, externalId) username, password, defaultRegistry, err := getAuthInfo(svc) if registry == "" { @@ -208,11 +209,19 @@ func getenv(key ...string) (s string) { return } -func getECRClient(sess *session.Session, role string) *ecr.ECR { +func getECRClient(sess *session.Session, role string, externalId string) *ecr.ECR { if role == "" { return ecr.New(sess) } - return ecr.New(sess, &aws.Config{ - Credentials: stscreds.NewCredentials(sess, role), - }) + if externalId != "" { + return ecr.New(sess, &aws.Config{ + Credentials: stscreds.NewCredentials(sess, role, func(p *stscreds.AssumeRoleProvider) { + p.ExternalID = &externalId + }), + }) + } else { + return ecr.New(sess, &aws.Config{ + Credentials: stscreds.NewCredentials(sess, role), + }) + } }