diff --git a/lib/datasource/docker/__snapshots__/index.spec.ts.snap b/lib/datasource/docker/__snapshots__/index.spec.ts.snap
index 6d773f2113fed82565b6acb436eaf6e0dec9a144..1cbbf983b7e2fd9904110ab2037382a366b9e0c8 100644
--- a/lib/datasource/docker/__snapshots__/index.spec.ts.snap
+++ b/lib/datasource/docker/__snapshots__/index.spec.ts.snap
@@ -110,6 +110,42 @@ Array [
]
`;
+exports[`datasource/docker/index getDigest passes credentials to ECR client 1`] = `
+Array [
+ Object {
+ "headers": Object {
+ "accept-encoding": "gzip, deflate, br",
+ "authorization": "Basic c29tZS11c2VybmFtZTpzb21lLXBhc3N3b3Jk",
+ "host": "123456789.dkr.ecr.us-east-1.amazonaws.com",
+ "user-agent": "https://github.com/renovatebot/renovate",
+ },
+ "method": "GET",
+ "url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/",
+ },
+ Object {
+ "headers": Object {
+ "accept-encoding": "gzip, deflate, br",
+ "authorization": "Basic abcdef",
+ "host": "123456789.dkr.ecr.us-east-1.amazonaws.com",
+ "user-agent": "https://github.com/renovatebot/renovate",
+ },
+ "method": "GET",
+ "url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/",
+ },
+ Object {
+ "headers": Object {
+ "accept": "application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v2+json",
+ "accept-encoding": "gzip, deflate, br",
+ "authorization": "Basic abcdef",
+ "host": "123456789.dkr.ecr.us-east-1.amazonaws.com",
+ "user-agent": "https://github.com/renovatebot/renovate",
+ },
+ "method": "GET",
+ "url": "https://123456789.dkr.ecr.us-east-1.amazonaws.com/v2/node/manifests/some-tag",
+ },
+]
+`;
+
exports[`datasource/docker/index getDigest returns digest 1`] = `
Array [
Object {
diff --git a/lib/datasource/docker/index.spec.ts b/lib/datasource/docker/index.spec.ts
index 80198179ee67e4de3898c626729eb9a2b6984ba1..b1da20d9f695df4a978e4fbd9c34180898996282 100644
--- a/lib/datasource/docker/index.spec.ts
+++ b/lib/datasource/docker/index.spec.ts
@@ -255,6 +255,40 @@ describe(getName(), () => {
expect(res).toBeNull();
expect(httpMock.getTrace()).toMatchSnapshot();
});
+ it('passes credentials to ECR client', async () => {
+ httpMock
+ .scope(amazonUrl)
+ .get('/')
+ .reply(200, '', {
+ 'www-authenticate': 'Basic realm="My Private Docker Registry Server"',
+ })
+ .get('/')
+ .reply(200)
+ .get('/node/manifests/some-tag')
+ .reply(200, '', { 'docker-content-digest': 'some-digest' });
+
+ mockEcrAuthResolve({
+ authorizationData: [{ authorizationToken: 'abcdef' }],
+ });
+
+ await getDigest(
+ {
+ datasource: 'docker',
+ depName: '123456789.dkr.ecr.us-east-1.amazonaws.com/node',
+ },
+ 'some-tag'
+ );
+
+ const trace = httpMock.getTrace();
+ expect(trace).toMatchSnapshot();
+ expect(AWS.ECR).toHaveBeenCalledWith({
+ credentials: {
+ accessKeyId: 'some-username',
+ secretAccessKey: 'some-password',
+ },
+ region: 'us-east-1',
+ });
+ });
it('supports ECR authentication', async () => {
httpMock
.scope(amazonUrl)
diff --git a/lib/datasource/docker/index.ts b/lib/datasource/docker/index.ts
index a3c4298e62e43a56ce3e481b92d3f155032785a2..925258b5b8a3d8f29ce541c26809354617d0f5a4 100644
--- a/lib/datasource/docker/index.ts
+++ b/lib/datasource/docker/index.ts
@@ -1,5 +1,5 @@
import URL from 'url';
-import { ECR } from '@aws-sdk/client-ecr';
+import { ECR, ECRClientConfig } from '@aws-sdk/client-ecr';
import hasha from 'hasha';
import parseLinkHeader from 'parse-link-header';
import wwwAuthenticate from 'www-authenticate';
@@ -113,10 +113,12 @@ async function getECRAuthToken(
region: string,
opts: HostRule
): Promise<string | null> {
- const config = { region, accessKeyId: undefined, secretAccessKey: undefined };
+ const config: ECRClientConfig = { region };
if (opts.username && opts.password) {
- config.accessKeyId = opts.username;
- config.secretAccessKey = opts.password;
+ config.credentials = {
+ accessKeyId: opts.username,
+ secretAccessKey: opts.password,
+ };
}
const ecr = new ECR(config);
try {