make aws_login checks for valid credentials (#284)

lsierant · web-flow · commit e2781ef49d1d · 2025-07-25T07:55:07.000Z
# Summary

This PR adds docker credentials verification in `make aws_login` to
reliably refresh docker credentials only if needed.

Previous method of skipping was checking if the ~/.docker/config.json
was modified in the last six hours, but it wasn't reliable enough. If
you performed docker login to any other registry or just modified the
file, you won't get ECR credentials refreshed.

## Proof of Work

breaking docker credentials (simulating expired): 
```bash
$ cat &gt; ~/.docker/config.json &lt;&lt;EOF
{
  "auths": {
    "268558157000.dkr.ecr.eu-west-1.amazonaws.com": {
      "auth": "INVALID"
    },
    "268558157000.dkr.ecr.us-east-1.amazonaws.com": {
      "auth": "INVALID"
    }
  },
  "currentContext": "desktop-linux"
}
EOF

$ docker pull 268558157000.dkr.ecr.us-east-1.amazonaws.com/dev/mongodb-kubernetes/latest
WARNING: Error parsing config file (/Users/lukasz.sierant/.docker/config.json): illegal base64 data at input byte 4
Using default tag: latest
Error response from daemon: failed to resolve reference "268558157000.dkr.ecr.us-east-1.amazonaws.com/dev/mongodb-kubernetes/latest:latest": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials

```

**from master** - auth is skipped due to file modification time check
only
```bash
$ make aws_login
Skipping docker daemon check when not running in Linux
Docker credentials are up to date - not performing the new login!
```

**from this PR:** 
```bash
$ make aws_login
Skipping docker daemon check when not running in Linux
Checking if Docker credentials are valid...
Docker login required (HTTP status: 401)
=&gt; Performing docker login to ECR registries
aws-cli/2.27.46 Python/3.13.5 Darwin/24.5.0 source/arm64}
[...]
Login Succeeded
[...]

$ docker pull 268558157000.dkr.ecr.us-east-1.amazonaws.com/dev/mongodb-kubernetes:latest
docker pull 268558157000.dkr.ecr.us-east-1.amazonaws.com/dev/mongodb-kubernetes:latest
latest: Pulling from dev/mongodb-kubernetes
671b7b89b752: Pulling fs layer
[....]
```

running again skips properly: 
```bash
$ make aws_login
Skipping docker daemon check when not running in Linux
Checking if Docker credentials are valid...
Docker credentials are up to date - not performing the new login!
```

## Checklist
- [ ] Have you linked a jira ticket and/or is the ticket in the title?
- [ ] Have you checked whether your jira ticket required DOCSP changes?
- [ ] Have you checked for release_note changes?
diff --git a/scripts/dev/configure_docker_auth.sh b/scripts/dev/configure_docker_auth.sh
@@ -1,6 +1,7 @@
 #!/usr/bin/env bash
 
 set -Eeou pipefail
+test "${MDB_BASH_DEBUG:-0}" -eq 1 && set -x
 
 source scripts/dev/set_env_context.sh
 source scripts/funcs/checks
@@ -45,12 +46,21 @@ check_docker_daemon_is_running
 
 if [[ -f ~/.docker/config.json ]]; then
   if [[ "${RUNNING_IN_EVG:-"false"}" != "true" ]]; then
-    # when running locally we don't need to docker login all the time - we can do it once in 11 hours (ECR tokens expire each 12 hours)
-    if [[ -n "$(find ~/.docker/config.json -mmin -360 -type f)" ]] &&
-      grep "quay.io" -q ~/.docker/config.json && # TODO to be removed at public preview stage of community-search
-      grep "268558157000" -q ~/.docker/config.json; then
-      echo "Docker credentials are up to date - not performing the new login!"
-      exit
+    # Check if login is actually required by making a HEAD request to ECR using existing Docker config
+    echo "Checking if Docker credentials are valid..."
+    ecr_auth=$(jq -r '.auths."268558157000.dkr.ecr.us-east-1.amazonaws.com".auth // empty' ~/.docker/config.json)
+
+    if [[ -n "${ecr_auth}" ]]; then
+      http_status=$(curl --head -s -o /dev/null -w "%{http_code}" --max-time 3 "https://268558157000.dkr.ecr.us-east-1.amazonaws.com/v2/dev/mongodb-kubernetes/manifests/latest" \
+        -H "Authorization: Basic ${ecr_auth}" 2>/dev/null || echo "error/timeout")
+
+      if [[ "${http_status}" != "401" && "${http_status}" != "403" && "${http_status}" != "error/timeout" ]]; then
+        echo "Docker credentials are up to date - not performing the new login!"
+        exit
+      fi
+      echo "Docker login required (HTTP status: ${http_status})"
+    else
+      echo "No ECR credentials found in Docker config - login required"
     fi
   fi
 
