创建 Dockerfile, 因为需要 aws 命令,就不特别去安装了,直接使用 awslinux 的镜像

docker
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

FROM amazonlinux:2

RUN yum update -y && \
    yum install -y awscli jq && \
    yum clean all
WORKDIR /app
COPY refresh-ecr-credentials.sh

ENV AWS_REGION=${AWS_REGION:-us-east-1}
ENV REFRESH_INTERVAL=${REFRESH_INTERVAL:-3600}
ENV CREDENTIALS_DIR=${CREDENTIALS_DIR:-/shared_credentials}
ENV AWS_CREDENTIALS_FILE=${AWS_CREDENTIALS_FILE:-/opt/password}

RUN mkdir -p ${CREDENTIALS_DIR} ~/.aws /opt && \
    chmod 700 ${CREDENTIALS_DIR} ~/.aws /opt && \
    chmod +x /app/refresh-ecr-credentials.sh
CMD ["/app/refresh-ecr-credentials.sh"]
VOLUME ["${CREDENTIALS_DIR}"]

准备 refresh-ecr-credentials.sh

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

#!/bin/bash

log() {
  echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >&2
}

# 循环刷新 ECR 凭证并输出到 AWS_CREDENTIALS_FILE
while true; do
  log "刷新ECR凭证..."
  if aws ecr get-login-password --region ${AWS_REGION} > ${AWS_CREDENTIALS_FILE} 2>/dev/null; then
    chmod 600 "${AWS_CREDENTIALS_FILE}"
    log "ECR密钥已生工刷新"
  else
    log "刷新ECR密钥失败"
  fi
done