aws
diff --git a/‎.dockerignore‎
Lines changed: 1 addition & 0 deletions b/‎.dockerignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/build_and_test_docker_image.yml‎
Lines changed: 136 additions & 0 deletions b/‎.github/workflows/build_and_test_docker_image.yml‎
Lines changed: 136 additions & 0 deletions
diff --git a/‎.github/workflows/publish_docker_image.yml‎
Lines changed: 81 additions & 0 deletions b/‎.github/workflows/publish_docker_image.yml‎
Lines changed: 81 additions & 0 deletions
diff --git a/‎.semgrepignore‎
Lines changed: 2 additions & 0 deletions b/‎.semgrepignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 1 deletion b/‎Makefile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docker_image_resources/.env.template‎
Lines changed: 20 additions & 0 deletions b/‎docker_image_resources/.env.template‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎docker_image_resources/Dockerfile‎
Lines changed: 46 additions & 0 deletions b/‎docker_image_resources/Dockerfile‎
Lines changed: 46 additions & 0 deletions
@@ -0,0 +1 @@
+docker_image_resources/
@@ -0,0 +1,136 @@
+name: Build and Test Credential Helper Docker Image
+
+on:
+  push:
+    branches: [ main ]
+
+env:
+  STAGING_REGISTRY: 264252446756.dkr.ecr.us-east-1.amazonaws.com
+  STAGING_REPOSITORY: credential-helper-staging
+  AWS_REGION: us-east-1
+
+permissions:
+    contents: read
+    packages: write
+    id-token: write   # This is required for requesting the JWT for AWS authentication
+
+jobs:
+  build-and-push:
+    name: Build Docker Images and Push to Staging Repository
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            platform: amd64
+          - os: ubuntu-24.04-arm
+            platform: arm64
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::264252446756:role/GithubActionsAccessRole
+          aws-region: ${{ env.AWS_REGION }}
+          
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Extract Version from Makefile
+        id: extract-version
+        run: |
+          VERSION=$(grep '^VERSION=' Makefile | cut -d'=' -f2)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted version: $VERSION"
+
+      - name: Build and Push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker_image_resources/Dockerfile
+          platforms: linux/${{ matrix.platform }}
+          push: true
+          build-args: |
+            VERSION=${{ steps.extract-version.outputs.version }}
+          tags: |
+            ${{ env.STAGING_REGISTRY }}/${{ env.STAGING_REPOSITORY }}:${{ github.sha }}-${{ matrix.platform }}
+          provenance: false # provenance must be disabled in order to prevent manifest creation failures
+
+  test-and-scan:
+    name: Test and Scan Docker Images
+    needs: build-and-push
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            platform: amd64
+          - os: ubuntu-24.04-arm
+            platform: arm64 
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::264252446756:role/GithubActionsAccessRole
+          aws-region: ${{ env.AWS_REGION }}
+          
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      
+      - name: Set up Test Environment
+        env:
+          PCA_ARN: arn:aws:acm-pca:us-east-1:264252446756:certificate-authority/807cc589-2b5a-4976-a0d8-eeca654e7916 
+        run: |
+          MAX_PULL_ATTEMPTS=3
+          PULL_ATTEMPT=0
+          until docker pull ${{ env.STAGING_REGISTRY }}/${{ env.STAGING_REPOSITORY }}:${{ github.sha }}-${{matrix.platform}}; do
+              PULL_ATTEMPT=$((PULL_ATTEMPT + 1))
+              if [ $PULL_ATTEMPT -ge $MAX_PULL_ATTEMPTS ]; then
+                  echo "Failed to pull image after $MAX_PULL_ATTEMPTS attempts"
+                  exit 1
+              fi
+              echo "Pull attempt $PULL_ATTEMPT failed, waiting before retry..."
+              sleep 10
+          done
+            
+          echo "REPOSITORY=${{ env.STAGING_REPOSITORY }}" >> $GITHUB_ENV
+
+          mkdir -p docker_image_resources/tests/certs
+          
+          ./docker_image_resources/tests/scripts/setup-key-and-cert-pca.sh "$PCA_ARN"
+          
+      - name: Test the ${{matrix.platform}} Docker Image
+        env:
+          TRUST_ANCHOR_ARN: arn:aws:rolesanywhere:us-east-1:264252446756:trust-anchor/11436419-d765-4a1f-a65e-441a197ed5fc
+          PROFILE_ARN: arn:aws:rolesanywhere:us-east-1:264252446756:profile/24a0d47d-9e88-4be8-97fc-a55422105b6c
+          ROLE_ARN: arn:aws:iam::264252446756:role/CredentialHelperTestingRole
+          VERSION: ${{ github.sha }}-${{matrix.platform}}
+          REGISTRY: ${{ env.STAGING_REGISTRY }} # Needed due to test suite using this variable
+        run: |
+          # Run basic version test
+          echo "Testing version command:"
+          docker run --rm ${{ env.STAGING_REGISTRY }}/${{ env.STAGING_REPOSITORY }}:${{ github.sha }}-${{matrix.platform}} version
+
+          # Run Integration Tests 
+          cd docker_image_resources
+          ./tests/run-tests.sh
+          
+      - name: Install Trivy Image Scanner 
+        uses: aquasecurity/setup-trivy@v0.2.0
+        with:
+          cache: true
+          version: v0.63.0
+
+      - name: Scan Docker image with Trivy
+        run: |
+          IMAGE_REFERENCE="${{ env.STAGING_REGISTRY }}/${{ env.STAGING_REPOSITORY }}:${{ github.sha }}-${{matrix.platform}}"
+          ./docker_image_resources/tests/scripts/scan-image.sh "$IMAGE_REFERENCE"
@@ -0,0 +1,81 @@
+name: Publish Credential Helper Docker Image
+
+on:
+  push:
+    tags: ['v*.*.*']
+  workflow_dispatch: # Temporarily introduced for initial push to repo. Will be removed in a subsequent commit
+
+jobs:
+  publish-images-to-ecr:
+    name: Publish Built Images to ECR 
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      id-token: write   # This is required for requesting the JWT for AWS authentication
+    env:
+      PUBLIC_REGISTRY: public.ecr.aws/rolesanywhere
+      PUBLIC_REPOSITORY: credential-helper
+      STAGING_REGISTRY: 264252446756.dkr.ecr.us-east-1.amazonaws.com
+      STAGING_REPOSITORY: credential-helper-staging
+      AWS_REGION: us-east-1
+      AWS_SIGNER_PLUGIN_LINK: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip
+      AWS_SIGNER_PLUGIN_FILENAME: notation-aws-signer-plugin.zip
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@master
+        with:
+          role-to-assume: arn:aws:iam::264252446756:role/GithubActionsAccessRole 
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Tag Images and Push to ECR
+        id: tag_and_push  
+        run: |
+          AMD64_DOCKER_IMAGE="${{ env.STAGING_REGISTRY }}/${{ env.STAGING_REPOSITORY }}:${{ github.sha }}-amd64"
+          ARM64_DOCKER_IMAGE="${{ env.STAGING_REGISTRY }}/${{ env.STAGING_REPOSITORY }}:${{ github.sha }}-arm64"
+          docker pull $AMD64_DOCKER_IMAGE
+          docker pull $ARM64_DOCKER_IMAGE
+          # extract version from executable
+          VERSION=$(docker run --rm $AMD64_DOCKER_IMAGE version)
+          TIMESTAMP=$(date +%Y.%m.%d.%H.%M)
+          docker tag $AMD64_DOCKER_IMAGE ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:$VERSION-amd64-$TIMESTAMP
+          docker tag $AMD64_DOCKER_IMAGE ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:latest-amd64
+          docker push ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:$VERSION-amd64-$TIMESTAMP
+          AMD64_IMAGE_SHA=$(docker push ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:latest-amd64 | grep digest | cut -d' ' -f3 )
+          echo "amd64_image_sha=$AMD64_IMAGE_SHA" >> "$GITHUB_OUTPUT"
+          docker tag $ARM64_DOCKER_IMAGE ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:$VERSION-arm64-$TIMESTAMP
+          docker tag $ARM64_DOCKER_IMAGE ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:latest-arm64
+          docker push ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:$VERSION-arm64-$TIMESTAMP
+          ARM64_IMAGE_SHA=$(docker push ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:latest-arm64 | grep digest | cut -d' ' -f3 )
+          echo "arm64_image_sha=$ARM64_IMAGE_SHA" >> "$GITHUB_OUTPUT"
+          docker manifest create ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:latest \
+            ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}@$AMD64_IMAGE_SHA \
+            ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}@$ARM64_IMAGE_SHA 
+          echo "manifest_sha=$(docker manifest push ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}:latest)" >> "$GITHUB_OUTPUT"
+
+      - name: Setup Notation CLI
+        uses: notaryproject/notation-action/setup@v1
+
+      - name: Retrieve AWS Signer Checksum Value 
+        id: checksum
+        run: |
+          curl -LO ${{ env.AWS_SIGNER_PLUGIN_LINK}}
+          echo "signer_sha=$(sha256sum ${{env.AWS_SIGNER_PLUGIN_FILENAME}} | cut -f1 -d' ')" >> "$GITHUB_OUTPUT"
+
+      - name: Sign the Images and Manifest with Notation 
+        uses: notaryproject/notation-action/sign@v1
+        with:
+          plugin_name: com.amazonaws.signer.notation.plugin
+          plugin_url: https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip 
+          plugin_checksum: ${{steps.checksum.outputs.signer_sha}} # Required in order to use the AWS signer plugin
+          key_id: arn:aws:signer:us-east-1:264252446756:/signing-profiles/IAM_ROLES_ANYWHERE_SIGNING_PROFILE_V1_0
+          target_artifact_reference: |-
+            ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}@${{steps.tag_and_push.outputs.manifest_sha}}
+            ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}@${{steps.tag_and_push.outputs.amd64_image_sha}}
+            ${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_REPOSITORY }}@${{steps.tag_and_push.outputs.arm64_image_sha}}
@@ -1,2 +1,4 @@
 # Invalid RSA key for testing
 tst/certs/invalid-rsa-key.pem
+# Do not factor in testing image templates since they are not meant for a privileged environment
+docker_image_resources/tests/pod_configurations
@@ -1,5 +1,6 @@
 VERSION=1.7.0
-
+# IMPORTANT: This VERSION variable is parsed by the GitHub Actions image build workflow.
+# Please maintain the X.Y.Z format to ensure compatibility with the automated build process. 
 .PHONY: release
 release: build/bin/aws_signing_helper
 
 
@@ -0,0 +1,20 @@
+# This file provides a template for defining environment variables to
+# customize the build and test process of the credential helper docker image
+
+# Image Property Components
+# These are NOT required and DO have defaults
+VERSION=                # Docker image version tag
+REGISTRY=               # Docker registry
+REPOSITORY=             # Docker image repository
+
+# Test Resource ARNs
+# These ARE required and do NOT have defaults
+TRUST_ANCHOR_ARN=       # Format: arn:<partition>:rolesanywhere:<region>:<accountId>:trust-anchor/id
+PROFILE_ARN=            # Format: arn:<partition>:rolesanywhere:<region>:<accountId>:profile/id
+ROLE_ARN=               # Format: arn:<partition>:iam::<accountId>:role/role-name
+
+# PKI Resource Paths
+# These ARE required and DO have defaults
+# Ideally these files can be placed in the tests/certs directory
+CERTIFICATE_PATH=       # Format: path/to/certificate.pem
+PRIVATE_KEY_PATH=       # Format: path/to/private_key.pem
@@ -0,0 +1,46 @@
+# Stage 1: Build the IAM Roles Anywhere Credential Helper from source
+# Version pinned to most recent stable release
+FROM --platform=$TARGETPLATFORM public.ecr.aws/amazonlinux/amazonlinux:2023.7.20250527.1 AS builder
+
+# Add build arguments
+ARG TARGETARCH
+ARG VERSION
+
+# Install build dependencies
+RUN dnf install -y \
+    golang-1.24.3-1.amzn2023.0.1 \
+    make \
+    && dnf clean all
+
+# Set up working directory
+WORKDIR /build/rolesanywhere-credential-helper
+
+# Set GOARCH for cross-compilation
+ENV CGO_ENABLED=1
+ENV GOOS=linux
+ENV GOARCH=${TARGETARCH}
+
+COPY .. .
+
+# Build with architecture-specific settings
+RUN make release
+
+# Stage 2: Create a minimal runtime image
+# Version pinned to most recent stable release
+FROM --platform=$TARGETPLATFORM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-glibc:2025-06-11-1749625329.2023
+
+# Add build argument for version in final stage
+ARG VERSION
+
+# Copy the credential helper from the builder stage
+COPY --from=builder /build/rolesanywhere-credential-helper/build/bin/aws_signing_helper /usr/local/bin/
+
+USER 65532:65532
+
+# Set the entrypoint
+ENTRYPOINT ["/usr/local/bin/aws_signing_helper"]
+
+# Add labels
+LABEL maintainer="AWS IAM Roles Anywhere" \
+      version="${VERSION}" \
+      description="AWS IAM Roles Anywhere Credential Helper Docker Image"