Merge pull request #440 from drone-plugins/CI-12566

Fixed 'error getting ECR auth: WebIdentityErr: unable to read file at…' issue

.drone.yml

@@ -172,7 +172,7 @@ steps:
       - go build -o release/windows/amd64/drone-acr.exe ./cmd/drone-acr
       - go build -o release/windows/amd64/drone-gar.exe ./cmd/drone-gar
   - name: build docker plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/docker/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/docker
@@ -186,7 +186,7 @@ steps:
     when:
       event: [push, tag]
   - name: build ecr plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/ecr/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/ecr
@@ -200,7 +200,7 @@ steps:
     when:
       event: [push, tag]
   - name: build gcr plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/gcr/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/gcr
@@ -214,7 +214,7 @@ steps:
     when:
       event: [push, tag]
   - name: build acr plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/acr/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/acr
@@ -228,7 +228,7 @@ steps:
     when:
       event: [push, tag]
   - name: build gar plugin
-    image: plugins/docker
+    image: plugins/docker@sha256:f0233d950ae87ee6cb5500b2d5497fe02aa338201c0bdce2619f443fd174cfa4
     settings:
       dockerfile: docker/gar/Dockerfile.windows.amd64.ltsc2022
       repo: plugins/gar

cmd/drone-ecr/main.go

@@ -42,7 +42,7 @@ func main() {
 		assumeRole       = getenv("PLUGIN_ASSUME_ROLE")
 		externalId       = getenv("PLUGIN_EXTERNAL_ID")
 		scanOnPush       = parseBoolOrDefault(false, getenv("PLUGIN_SCAN_ON_PUSH"))
-		idToken          = os.Getenv("PLUGIN_OIDC_TOKEN_ID") 
+		idToken          = os.Getenv("PLUGIN_OIDC_TOKEN_ID")
 	)
 
 	// set the region
@@ -218,9 +218,24 @@ func getECRClient(sess *session.Session, role string, externalId string, idToken
 	if role == "" {
 		return ecr.New(sess)
 	}
-	// Use STS AssumeRoleWithWebIdentity when idToken is provided
+
 	if idToken != "" {
-		creds := stscreds.NewWebIdentityCredentials(sess, role, "", idToken)
+		tempFile, err := os.CreateTemp("/tmp", "idToken-*.jwt")
+		if err != nil {
+			log.Fatalf("Failed to create temporary file: %v", err)
+		}
+		defer tempFile.Close()
+
+		if err := os.Chmod(tempFile.Name(), 0600); err != nil {
+			log.Fatalf("Failed to set file permissions: %v", err)
+		}
+
+		if _, err := tempFile.WriteString(idToken); err != nil {
+			log.Fatalf("Failed to write ID token to temporary file: %v", err)
+		}
+
+		// Create credentials using the path to the ID token file
+		creds := stscreds.NewWebIdentityCredentials(sess, role, "", tempFile.Name())
 		return ecr.New(sess, &aws.Config{Credentials: creds})
 	} else if externalId != "" {
 		return ecr.New(sess, &aws.Config{