Skip to content

Latest commit

 

History

History
52 lines (32 loc) · 1.52 KB

README.md

File metadata and controls

52 lines (32 loc) · 1.52 KB

Docker instance-principal credential helper for OCIR

Use the OCI go sdk to request a docker token based on the OCI instance principal.

Use

Build the helper:

go mod vendor
go build docker-credential-ocir.go

Install it somewhere on your path:

sudo cp docker-credential-ocir /usr/local/bin

Configure your local docker installation to use the credential helper:

mkdir -p ~/.docker
cat > ~/.docker/config.json <<EOF
{
    "credsStore": "ocir"
}
EOF

There are details on constructing a more nuanced configuration on the docker website

OCI policy configuration

Construct a dynamic-group definition that includes your instance:

# Dynamic group `example-instance-dynamic-group`
instance.compartment.id = 'ocid1.compartment.oc1..aaaaaaaawflibbertigibbetblahblahblahblah'

Construct a policy that permits the instance the rights you want:

# Root policy `example-instance-repo-management`
allow dynamic-group example-instance-dynamic-group to manage repos in tenancy where all {target.repo.name = /example*/}

Try it

On the instance:

docker pull iad.ocir.io/blahblah/example/repo/path:0.0.1

Using it with user creds instead

Rather than using an auth token, you can use your user credentials instead to generate an ephemeral token. Install the binary with a different name and reference it as that: eg, stash it as ~/bin/docker-credential-user and install a stanza such as:

{"credHelpers": {"iad.ocir.io": "user"}}