feat: add support for resolving AWS profiles per account. (#209)

Introduced logic to resolve AWS profiles using account-specific environment variables, shared configuration, or a default profile. This ensures better flexibility in handling multiple AWS accounts and their configurations.

Author: pcanilho

README.md

@@ -1,4 +1,3 @@
-
 # Docker Credentials from the Environment
 
 A [Docker credential helper](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers) to streamline repository interactions in scenarios where the cacheing of credentials to `~/.docker/config.json` is undesirable, including CI/CD pipelines, or anywhere ephemeral credentials are used.
@@ -28,6 +27,19 @@ If no environment variables for the target repository's FQDN is found, then:
   * `AWS_SECRET_ACCESS_KEY_<account_id>`
   * `AWS_SESSION_TOKEN_<account_id>` (optional)
   * `AWS_ROLE_ARN_<account_id>` (optional)
+  * `AWS_PROFILE_<account_id>` (optional)
+
+### AWS Profile Selection
+
+The helper supports using AWS named profiles for authentication:
+
+* `AWS_PROFILE`: Specifies which profile to use from your AWS shared configuration files. This is used when no account-specific credentials or profile is found.
+* `AWS_PROFILE_<account_id>`: Account-specific profile selection. When accessing an ECR repository for a specific AWS account, you can set this environment variable to use a specific named profile from your AWS shared configuration files.
+
+The profile selection follows this order of precedence:
+1. Account-specific profile (`AWS_PROFILE_<account_id>`)
+2. Standard AWS credentials for the specific account (if any account-specific credentials are found)
+3. Standard AWS profile (`AWS_PROFILE`) if no account-specific settings are found
 
 Important note: The helper will first look for account-suffixed AWS credentials (e.g. AWS_ACCESS_KEY_ID_123456789012).
 If ANY account-suffixed credentials are found, even partially, the helper requires ALL mandatory credentials to be
@@ -120,7 +132,26 @@ stages {
         }
     }
 
-    stage('Push Image to GHCR') {
+    stage('Push Image to AWS-ECR (Using Named Profiles)') {
+      environment {
+        // Using standard profile for one account
+        AWS_PROFILE                    = 'default-profile'
+        // Using account-specific profile for another account
+        AWS_PROFILE_987654321098       = 'account-specific-profile'
+        DOCKER_CREDENTIAL_ENV_DEBUG    = 'true' // Enable debug output for credential helper
+      }
+      steps {
+        sh '''
+            # Uses AWS_PROFILE_987654321098
+            docker push 987654321098.dkr.ecr.eu-west-1.amazonaws.com/another-example/another-image:2.0
+            
+            # Uses AWS_PROFILE for a different account
+            docker push 123456789.dkr.ecr.us-east-1.amazonaws.com/example/example-image:1.0
+          '''
+      }
+    }
+
+  stage('Push Image to GHCR') {
         environment {
             GITHUB_TOKEN = credentials('github') // String credential
         }

env.go

@@ -42,6 +42,7 @@ const (
 	envAwsSecretAccessKey = "AWS_SECRET_ACCESS_KEY" // #nosec G101
 	envAwsSessionToken    = "AWS_SESSION_TOKEN"     // #nosec G101
 	envAwsRoleArn         = "AWS_ROLE_ARN"
+	envAwsProfile         = "AWS_PROFILE"
 )
 
 // NotSupportedError represents an error indicating that the operation is not supported.
@@ -191,16 +192,33 @@ func getEcrToken(provider *ecrContext) (username, password string, err error) {
 		return retry.AddWithMaxBackoffDelay(standardRetryer, time.Second)
 	}
 
+	var extraOpts []func(*config.LoadOptions) error
+	if profile := getProfile(provider.AccountID); profile != "" {
+		// If a profile is specified, use it to load the AWS configuration
+		if b, err := strconv.ParseBool(os.Getenv(envDebugMode)); err == nil && b {
+			_, _ = fmt.Fprintf(os.Stderr, "AWS profile %q (Account: %s)\n", profile, provider.AccountID)
+		}
+		extraOpts = append(extraOpts, config.WithSharedConfigProfile(profile))
+	} else {
+		// If no profile is specified, use the ecrContext provider to load credentials
+		extraOpts = append(extraOpts, config.WithCredentialsProvider(aws.NewCredentialsCache(provider)))
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
 	defer cancel()
 	cfg, err := config.LoadDefaultConfig(ctx,
-		config.WithRetryer(simpleRetryer),
-		config.WithRegion(provider.Region),
-		config.WithCredentialsProvider(aws.NewCredentialsCache(provider)))
+		append(extraOpts, config.WithRetryer(simpleRetryer),
+			config.WithRegion(provider.Region))...)
 	if err != nil {
 		return
 	}
 
+	// Add a shared config profile if available
+	//if profile := getProfile(provider.AccountID, cfg.ConfigSources...); profile != "" {
+	//	cfg.ConfigSources = append(cfg.ConfigSources, config.WithSharedConfigProfile(profile))
+	//}
+
+	// If a role ARN is specified for the account, assume that role
 	var roleArn string
 	if roleArn = getRoleArn(provider.AccountID, cfg.ConfigSources...); roleArn != "" {
 		stsSvc := sts.NewFromConfig(cfg)
@@ -243,6 +261,45 @@ func getEcrToken(provider *ecrContext) (username, password string, err error) {
 	return
 }
 
+// getProfile resolves an AWS profile name by checking, in order:
+// 1. Account-specific environment variable (AWS_PROFILE_<account>)
+// 2. Configuration sources (SharedConfigProfile or Profile)
+// 3. Default AWS_PROFILE environment variable
+//
+// Parameters:
+//
+//	account - AWS account ID to look up account-specific profile name
+//	configSources - Optional AWS configuration sources containing profile information
+//
+// Returns:
+//
+//	profile - Resolved AWS profile name, empty string if none found
+func getProfile(account string, configSources ...any) (profile string) {
+	// Check for account-specific profile environment variable
+	val, found := os.LookupEnv(envAwsProfile + "_" + account)
+	if found {
+		return strings.TrimSpace(val)
+	}
+
+	if len(configSources) == 0 {
+		return os.Getenv("AWS_PROFILE")
+	}
+
+	for _, x := range configSources {
+		switch impl := x.(type) {
+		case config.EnvConfig:
+			if impl.SharedConfigProfile != "" {
+				return strings.TrimSpace(impl.SharedConfigProfile)
+			}
+		case config.SharedConfig:
+			if impl.Profile != "" {
+				return strings.TrimSpace(impl.Profile)
+			}
+		}
+	}
+	return
+}
+
 // getRoleArn retrieves the AWS role ARN for a specific account by checking environment variables and AWS configurations.
 // It checks the account-specific role ARN environment variable (AWS_ROLE_ARN_<account>). If not found,
 // then checks the standard AWS role ARN environment variable (AWS_ROLE_ARN) when no config sources are provided.

env_test.go

@@ -321,3 +321,46 @@ func TestGetRoleArn(t *testing.T) {
 		})
 	}
 }
+
+func TestGetProfile(t *testing.T) {
+	tests := []struct {
+		name     string
+		inputEnv map[string]string
+		expected string
+	}{
+		{
+			name: "Standard environment variable",
+			inputEnv: map[string]string{
+				"AWS_PROFILE": "my-profile",
+			},
+			expected: "my-profile",
+		},
+		{
+			name: "Suffixed environment variable",
+			inputEnv: map[string]string{
+				"AWS_PROFILE_12345": "my-profile",
+			},
+			expected: "my-profile",
+		},
+		{
+			name: "Suffixed has higher priority",
+			inputEnv: map[string]string{
+				"AWS_PROFILE":       "other-profile",
+				"AWS_PROFILE_12345": "my-profile",
+			},
+			expected: "my-profile",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			for k, v := range tt.inputEnv {
+				t.Setenv(k, v)
+			}
+			actual := getProfile("12345")
+			if actual != tt.expected {
+				t.Errorf("GetProfile(<suffix>) actual = (%v), expected (%v)", actual, tt.expected)
+			}
+		})
+	}
+}

provider_aws.go

@@ -36,7 +36,7 @@ func (p *ecrContext) Retrieve(_ context.Context) (out aws.Credentials, err error
 		// Diagnostic output
 		if out.Source != "" {
 			if b, err := strconv.ParseBool(os.Getenv(envDebugMode)); err == nil && b {
-				_, _ = fmt.Fprintf(os.Stderr, "Authenticating access to '%s.dkr.ecr.%s.amazonaws.com/' with %q\n", p.AccountID, p.Region, out.Source)
+				_, _ = fmt.Fprintf(os.Stderr, "Authenticating access to '%s.dkr.ecr.%s.amazonaws.com' with %q\n", p.AccountID, p.Region, out.Source)
 			}
 		}
 	}()