We recently licensed the Drone Enterprise edition (thanks!) and I’m setting up the pipeline for our builds. We have added our drone-registry.yml file to the server (and confirmed that it shows up in Settings->Registry).
When I build it seems to be ignoring the settings in the global registry, however.
my .drone.yml:
pipeline:
angular:
image: plugins/docker
repo: coinlion/angular
auto_tag: true
context: ./library/angular
dockerfile: ./library/angular/Dockerfile
when:
branch: [ master ]
event: [ push ]
FWIW, the plugins/ecr builder successfully builds and deploys my containers to ECR using the appropriate credentials in the same drone-registry.yml file (but this particular image we want to push to DockerHub instead).
Thoughts?
It looks like you are missing the secrets section for your pipeline step, which should explicitly request access to named secrets including global secrets
pipeline:
angular:
image: plugins/docker
repo: coinlion/angular
auto_tag: true
context: ./library/angular
dockerfile: ./library/angular/Dockerfile
+ secrets: [ docker_username, docker_password ]
when:
branch: [ master ]
event: [ push ]
note that the above yaml assumes your global secrets file looks something like this:
- name: docker_username
value: octocat
- name: docker_password
value: correct-horse-batter-staple
also note that the secrets file is loaded when the application is started. This means that if you update the file, you need to restart the drone server instance for those changes to take effect.
thanks for the quick reply, on http://docs.drone.io/setup-global-registry-credentials/ it doesn’t mention that these are exposed as secrets… and our ECR builds don’t require the secrets section once we added the global registry file. Or is that not supported in the plugins/docker plugin?
our drone-registry.yml file looks like this (with our credentials of course).
- address: 012345678910.dkr.ecr.us-east-1.amazonaws.com
aws_access_key_id: a50d28f4dd477bc184fbd10b376de753
aws_secret_access_key: bc5785d3ece6a9cdefa42eb99b58986f9095ff1c
- address: docker.io
username: octocat
password: correct-horse-batter-staple
Registry credentials and secrets are conceptually different in Drone. Hopefully I can clarify 
Registry credentials are used to pull private images from a registry that are required by your pipeline. These are images specified in the image attribute (see below). For security reasons, registry credentials are only used by Drone itself, and are never exposed to your pipeline environment.
pipeline:
build:
image: 012345678910.dkr.ecr.us-east-1.amazonaws.com/some-private-image
Secrets, on the other hand, are used to inject sensitive configuration parameters into your pipeline environment. The Docker plugin requires a username and password to build and publish images to a registry. Since no plugins (not even the Docker plugin) have access to registry credentials, you need to use secrets. You can use global secrets here, but you still need the secrets section in your yaml.
Hopefully that makes sense. Let me know if you have any questions.
AHA! :lightbulb: ! I figured out why I was able to push images to our ECR… I had an IAM role set on our Drone instances and granted access that way… sorry to confuse (myself mostly). I just added the secrets and things are shiny now. 
Thank you again @brad for all your help!