@metaplay/metaplay-auth 1.4.2 → 1.5.0

package/src/deployment.ts

@@ -1,6 +1,11 @@
-import { KubeConfig, CoreV1Api, V1Pod } from '@kubernetes/client-node'
+import { KubeConfig, CoreV1Api, type V1Pod, type CoreV1ApiListNamespacedPodRequest, type CoreV1ApiReadNamespacedPodLogRequest } from '@kubernetes/client-node'
 import { logger } from './logging.js'
-import type { CoreV1ApiListNamespacedPodRequest, CoreV1ApiReadNamespacedPodLogRequest } from '@kubernetes/client-node'
+import { TargetEnvironment } from 'targetenvironment.js'
+import { exit } from 'process'
+import { unlink, writeFile } from 'fs/promises'
+import { executeCommand, type ExecuteCommandResult } from './utils.js'
+import os from 'os'
+import path from 'path'
 
 enum GameServerPodPhase {
   Ready = 'Ready', // Successfully started and ready to accept traffic
@@ -16,7 +21,7 @@ interface GameServerPodStatus {
   details?: any
 }
 
-async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string) {
+async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string): Promise<V1Pod[]> {
   // Define label selector for gameserver
   logger.debug(`Fetching game server pods from Kubernetes: namespace=${namespace}`)
   const param: CoreV1ApiListNamespacedPodRequest = {
@@ -32,7 +37,7 @@ async function fetchGameServerPods (k8sApi: CoreV1Api, namespace: string) {
     return response.items
   } catch (error) {
     // \todo Better error handling ..
-    console.log('Failed to fetch pods from Kubernetes:', error)
+    console.error('Failed to fetch pods from Kubernetes:', error)
     throw new Error('Failed to fetch pods from Kubernetes')
   }
 }
@@ -77,9 +82,9 @@ function resolvePodContainersConditions (pod: V1Pod): GameServerPodStatus {
       // Try to detecth why the previous launch failed
       if (containerState.waiting) {
         const reason = containerState.waiting.reason
-        if (knownContainerFailureReasons.includes(reason as string)) {
+        if (reason && knownContainerFailureReasons.includes(reason)) {
           return { phase: GameServerPodPhase.Failed, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
-        } else if (knownContainerPendingReasons.includes(reason as string)) {
+        } else if (reason && knownContainerPendingReasons.includes(reason)) {
           return { phase: GameServerPodPhase.Pending, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
         } else {
           return { phase: GameServerPodPhase.Unknown, message: `Container ${containerName} is in waiting state, reason=${reason}`, details: containerState.waiting }
@@ -141,7 +146,20 @@ function resolvePodStatusConditions (pod: V1Pod): GameServerPodStatus {
   return { phase: GameServerPodPhase.Ready, message: 'Pod is ready to serve traffic' }
 }
 
-function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
+function resolvePodGameServerImageTag (pod: V1Pod): string | null {
+  // Find the shard-server spec from the pod and extract image tag from spec
+  const containerSpec = pod.spec?.containers?.find(containerSpec => containerSpec.name === 'shard-server')
+  if (!containerSpec) {
+    return null
+  }
+  if (!containerSpec.image) {
+    return null
+  }
+  const [_, imageTag] = containerSpec.image.split(':')
+  return imageTag
+}
+
+function resolvePodStatus (pod: V1Pod, requiredImageTag: string | null): GameServerPodStatus {
   // logger.debug('resolvePodStatus(): pod =', JSON.stringify(pod, undefined, 2))
 
   if (!pod) {
@@ -152,6 +170,14 @@ function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
     return { phase: GameServerPodPhase.Unknown, message: 'Unable to access pod.status from Kubernetes' }
   }
 
+  // Check the pod has the expected image.
+  if (requiredImageTag !== null) {
+    const podImageTag = resolvePodGameServerImageTag(pod)
+    if (podImageTag !== requiredImageTag) {
+      return { phase: GameServerPodPhase.Unknown, message: `Image tag is not (yet?) updated. Pod image is ${podImageTag ?? 'unknown'}, expecting ${requiredImageTag}.` }
+    }
+  }
+
   // Handle status.phase
   const podPhase = pod.status?.phase
   switch (podPhase) {
@@ -163,8 +189,14 @@ function resolvePodStatus (pod: V1Pod): GameServerPodStatus {
       // Pod has been scheduled and start -- note that the containers may have failed!
       return resolvePodStatusConditions(pod)
 
-    case 'Succeeded': // Should not happen, the game server pods should never stop
-    case 'Failed': // Should not happen, the game server pods should never stop
+    case 'Succeeded':
+      // Should not happen, the game server pods should never stop
+      return { phase: GameServerPodPhase.Unknown, message: 'Pod has unexpectedly terminated (with a clean exit status)' }
+
+    case 'Failed':
+      // Should not happen, the game server pods should never stop
+      return { phase: GameServerPodPhase.Unknown, message: 'Pod has unexpectedly terminated (with a failure exit status)' }
+
     case 'Unknown':
     default:
       return { phase: GameServerPodPhase.Unknown, message: `Invalid pod.status.phase: ${podPhase}` }
@@ -200,11 +232,11 @@ async function fetchPodLogs (k8sApi: CoreV1Api, pod: V1Pod) {
   }
 }
 
-async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod) {
+async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod, requiredImageTag: string | null) {
   // console.log('Pod:', JSON.stringify(pod, undefined, 2))
 
   // Classify game server status
-  const podStatus = resolvePodStatus(pod)
+  const podStatus = resolvePodStatus(pod, requiredImageTag)
   const podName = pod.metadata?.name ?? '<unable to resolve name>'
 
   // If game server launch failed, get the error logs
@@ -218,7 +250,7 @@ async function checkGameServerPod (k8sApi: CoreV1Api, pod: V1Pod) {
 }
 
 async function delay (ms: number): Promise<void> {
-  return await new Promise<void>(resolve => setTimeout(resolve, ms))
+  await new Promise<void>(resolve => setTimeout(resolve, ms))
 }
 
 function anyPodsInPhase (podStatuses: GameServerPodStatus[], phase: GameServerPodPhase): boolean {
@@ -229,7 +261,7 @@ function allPodsInPhase (podStatuses: GameServerPodStatus[], phase: GameServerPo
   return podStatuses.every(status => status.phase === phase)
 }
 
-export async function checkGameServerDeployment (namespace: string, kubeconfig: KubeConfig): Promise<number> {
+export async function checkGameServerDeployment (namespace: string, kubeconfig: KubeConfig, requiredImageTag: string | null): Promise<number> {
   const k8sApi = kubeconfig.makeApiClient(CoreV1Api)
 
   // Figure out when to stop
@@ -242,7 +274,7 @@ export async function checkGameServerDeployment (namespace: string, kubeconfig:
     logger.debug(`Found ${pods?.length} pod(s) deployed in Kubernetes`)
     if (pods.length > 0) {
       // Resolve status for all pods
-      const podStatuses = await Promise.all(pods.map(async pod => await checkGameServerPod(k8sApi, pod)))
+      const podStatuses = await Promise.all(pods.map(async pod => await checkGameServerPod(k8sApi, pod, requiredImageTag)))
       logger.debug(`Pod phases: ${podStatuses.map(status => status.phase)}`)
 
       // Handle state of the deployment
@@ -285,3 +317,81 @@ export async function checkGameServerDeployment (namespace: string, kubeconfig:
     await delay(2000)
   }
 }
+
+export async function debugGameServer (targetEnv: TargetEnvironment, targetPodName?: string) {
+  // Initialize kubeconfig for target environment
+  logger.debug('Get kubeconfig')
+  let kubeconfigPayload
+  const kubeconfig = new KubeConfig()
+  try {
+    kubeconfigPayload = await targetEnv.getKubeConfig()
+    kubeconfig.loadFromString(kubeconfigPayload)
+  } catch (error) {
+    console.error(`Failed to fetch kubeconfig for environment: ${error}`)
+    exit(1)
+  }
+
+  // Fetch environment details
+  logger.debug('Get environment details')
+  const envInfo = await targetEnv.getEnvironmentDetails()
+  const kubernetesNamespace = envInfo.deployment.kubernetes_namespace
+
+  // Resolve which pods are running in the target environment
+  logger.debug('Get running game server pods')
+  const k8sApi = kubeconfig.makeApiClient(CoreV1Api)
+  const gameServerPods = await fetchGameServerPods(k8sApi, kubernetesNamespace)
+
+  // If no pod name is specified, automaticalyl target a singleton pod or fail if there are multiple
+  if (!targetPodName) {
+    if (gameServerPods.length === 1) {
+      const metadata = gameServerPods[0].metadata
+      if (!metadata?.name) {
+        throw new Error('Unable to resolve name for the Kubernetes pod!')
+      }
+      targetPodName = metadata.name
+    } else {
+      const podNames = gameServerPods.map(pod => pod.metadata?.name).join(', ')
+      console.error(`Multiple game server pods running: ${podNames}\nPlease specify which you want to debug.`)
+      exit(1)
+    }
+  }
+
+  // Execute 'kubectl debug ..'
+  const tmpKubeconfigPath = path.join(os.tmpdir(), `temp-kubeconfig-${+Date.now()}`)
+  try {
+    // Write kubeconfig to a file
+    logger.debug(`Write temporary kubeconfig to ${tmpKubeconfigPath}`)
+    await writeFile(tmpKubeconfigPath, kubeconfigPayload)
+
+    // Run kubctl
+    // const args = [`--kubeconfig=${tmpKubeconfigPath}`, `--namespace=${kubernetesNamespace}`, 'get', 'pods']
+    const args = [
+      `--kubeconfig=${tmpKubeconfigPath}`,
+      `--namespace=${kubernetesNamespace}`,
+      'debug',
+      targetPodName,
+      '-it',
+      '--profile=general',
+      '--image=metaplay/diagnostics:latest',
+      '--target=shard-server'
+    ]
+    console.log(`Execute: kubectl ${args.join(' ')}`)
+    const execResult = await executeCommand('kubectl', args, true)
+
+    // Remove temporary kubeconfig
+    logger.debug('Delete temporary kubeconfig')
+    await unlink(tmpKubeconfigPath)
+
+    // Forward exit code
+    if (execResult?.exitCode !== 0) {
+      console.error(`kubectl failed failed with exit code ${execResult.exitCode}`)
+      exit(execResult.exitCode)
+    }
+  } catch (err) {
+    console.error(`Failed to execute 'kubectl': ${err}. You need to have kubectl installed to debug a game server with metaplay-auth.`)
+
+    // Remove temporary kubeconfig
+    logger.debug('Delete temporary kubeconfig')
+    await unlink(tmpKubeconfigPath)
+  }
+}

package/src/stackapi.ts

@@ -1,87 +1,11 @@
-import { isValidFQDN, getGameserverAdminUrl } from './utils.js'
 import { logger } from './logging.js'
-import { dump } from 'js-yaml'
-import { getUserinfo } from './auth.js'
-import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
+import { type EnvironmentDetails } from './targetenvironment.js'
 
-interface AwsCredentialsResponse {
-  AccessKeyId: string
-  SecretAccessKey: string
-  SessionToken: string
-  Expiration: string
-}
-
-export interface GameserverId {
-  gameserver?: string
-  organization?: string
-  project?: string
-  environment?: string
-}
-
-interface KubeConfig {
-  apiVersion?: string
-  kind: string
-  'current-context': string
-  clusters: KubeConfigCluster[]
-  contexts: KubeConfigContext[]
-  users: KubeConfigUser[]
-  preferences?: any
-}
-
-interface KubeConfigCluster {
-  cluster: {
-    'certificate-authority-data': string
-    server: string
-  }
-  name: string
-}
-
-interface KubeConfigContext {
-  context: {
-    cluster: string
-    user: string
-    namespace?: string
-  }
-  name: string
-}
-
-interface KubeConfigUser {
-  name: string
-  user: {
-    token?: string
-    exec?: {
-      command: string
-      args: string[]
-      apiVersion: string
-    }
-  }
-}
-
-interface KubeExecCredential {
-  apiVersion: string
-  kind: string
-  spec: {
-    cluster?: {
-      server: string
-      certificateAuthorityData: string
-    }
-  }
-  status: {
-    token: string
-    expirationTimestamp: string
-  }
-}
-
-export interface DockerCredentials {
-  username: string
-  password: string
-  registryUrl: string
-}
+export const defaultStackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
 
 export class StackAPI {
   private readonly accessToken: string
-
-  private readonly _stackApiBaseUrl: string
+  private readonly stackApiBaseUrl: string
 
   constructor (accessToken: string, stackApiBaseUrl: string | undefined) {
     if (accessToken == null) {
@@ -91,250 +15,15 @@ export class StackAPI {
     this.accessToken = accessToken
 
     if (stackApiBaseUrl) {
-      this._stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
+      this.stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
     } else {
-      this._stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
+      this.stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
     }
   }
 
-  async getAwsCredentials (gs: GameserverId): Promise<AwsCredentialsResponse> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/aws`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/aws`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`
-    } else {
-      throw new Error('Invalid arguments for getAwsCredentials')
-    }
-
-    logger.debug(`Getting AWS credentials from ${url}...`)
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch AWS credentials: ${response.statusText}, response code=${response.status}`)
-    }
-
-    return await response.json()
-  }
-
-  async getKubeConfig (gs: GameserverId): Promise<string> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/k8s`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`
-    } else {
-      throw new Error('Invalid arguments for getKubeConfig')
-    }
-
-    logger.debug(`Getting KubeConfig from ${url}...`)
-
-    let response
-    try {
-      response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
-      })
-    } catch (error: any) {
-      logger.error(`Failed to fetch kubeconfig from ${url}`)
-      logger.error('Fetch error details:', error)
-      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch kubeconfig: SSL certificate validation failed for ${url}. Is someone trying to tamper with your internet connection?`)
-      }
-      throw new Error(`Failed to fetch kubeconfig from ${url}: ${error}`)
-    }
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch KubeConfigs: ${response.statusText}`)
-    }
-
-    return await response.text()
-  }
-
-  /**
-   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
-   * access credentials each time the kubeconfig is used.
-   * @param gs Game server environment to get credentials for.
-   * @returns The kubeconfig YAML.
-   */
-  async getKubeConfigExecCredential (gs: GameserverId): Promise<string> {
-    let url = ''
-    let gsSlug = ''
-    const execArgs = ['get-kubernetes-execcredential']
-    if (gs.gameserver != null) {
-      const adminUrl = getGameserverAdminUrl(gs.gameserver)
-      url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
-      gsSlug = gs.gameserver
-      execArgs.push('--gameserver', gs.gameserver)
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
-      gsSlug = `${gs.organization}.${gs.project}.${gs.environment}`
-      execArgs.push(`${gs.organization}-${gs.project}-${gs.environment}`)
-    } else {
-      throw new Error('Invalid arguments for getKubeConfigExecCredential')
-    }
-
-    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
-
-    let response
-    try {
-      response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
-      })
-    } catch (error: any) {
-      logger.error(`Failed to fetch kubeconfig from ${url}`)
-      logger.error('Fetch error details:', error)
-      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch kubeconfig: SSL certificate validation failed for ${url}. Is someone trying to tamper with your internet connection?`)
-      }
-      throw new Error(`Failed to fetch kubeconfig from ${url}: ${error}`)
-    }
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch Kubernetes KubeConfig: ${response.statusText}`)
-    }
-
-    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
-    let kubeExecCredential
-    try {
-      kubeExecCredential = await response.json() as KubeExecCredential
-    } catch {
-      throw new Error('Failed to fetch Kubernetes KubeConfig: the server response is not JSON')
-    }
-
-    if (!kubeExecCredential.spec.cluster) {
-      throw new Error('Received kubeExecCredential with missing spec.cluster')
-    }
-
-    let namespace = 'default'
-    let user = 'user'
-
-    try {
-      const environment = await this.getEnvironmentDetails(gs)
-      namespace = environment.deployment?.kubernetes_namespace ?? namespace
-    } catch (e) {
-      logger.debug('Failed to get environment details, using defaults', e)
-    }
-
-    try {
-      const userinfo = await getUserinfo(this.accessToken)
-      user = userinfo.sub ?? user
-    } catch (e) {
-      logger.debug('Failed to get userinfo, using defaults', e)
-    }
-
-    const kubeConfig: KubeConfig = {
-      apiVersion: 'v1',
-      kind: 'Config',
-      'current-context': gsSlug,
-      clusters: [
-        {
-          cluster: {
-            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
-            server: kubeExecCredential.spec.cluster.server
-          },
-          name: kubeExecCredential.spec.cluster.server
-        }
-      ],
-      contexts: [
-        {
-          context: {
-            cluster: kubeExecCredential.spec.cluster.server,
-            namespace,
-            user
-          },
-          name: gsSlug,
-        }
-      ],
-      users: [
-        {
-          name: user,
-          user: {
-            exec: {
-              apiVersion: 'client.authentication.k8s.io/v1beta1',
-              command: 'metaplay-auth', // todo: figure out how to refer to metaplay-auth itself
-              args: execArgs,
-            }
-          }
-        }
-      ],
-    }
-
-    // return as yaml for easier consumption
-    return dump(kubeConfig)
-  }
-
-  async getKubeExecCredential (gs: GameserverId): Promise<string> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s?type=execcredential`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
-    } else {
-      throw new Error('Invalid arguments for getKubeConfig')
-    }
-
-    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
-
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch Kubernetes ExecCredential: ${response.statusText}`)
-    }
-
-    return await response.text()
-  }
-
-  async getEnvironmentDetails (gs: GameserverId): Promise<any> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/environment`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/deployments/${gs.gameserver}`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`
-    } else {
-      throw new Error('Invalid arguments for environment details')
-    }
-
-    logger.debug(`Getting environment details from ${url}...`)
+  async resolveManagedEnvironmentFQDN (organization: string, project: string, environment: string): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v1/servers/${organization}/${project}/${environment}`
+    logger.debug(`Getting environment information from ${url}...`)
     const response = await fetch(url, {
       method: 'GET',
       headers: {
@@ -343,53 +32,19 @@ export class StackAPI {
       }
     })
 
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch environment details: ${response.statusText}`)
+    // Throw on server errors (eg, forbidden)
+    if (!response.ok) {
+      const errorData = await response.json()
+      throw new Error(`Failed to fetch environment details with error ${response.status}: ${JSON.stringify(errorData)}`)
     }
 
-    return await response.json()
-  }
-
-  async getDockerCredentials (gameserverId: GameserverId): Promise<DockerCredentials> {
-    // Get environment info (for AWS region)
-    logger.debug('Get environment info')
-    const envInfo = await this.getEnvironmentDetails(gameserverId)
-
-    // Fetch AWS credentials from Metaplay cloud
-    logger.debug('Get AWS credentials from Metaplay')
-    const awsCredentials = await this.getAwsCredentials(gameserverId)
-
-    // Create ECR client with credentials
-    logger.debug('Create ECR client')
-    const client = new ECRClient({
-      credentials: {
-        accessKeyId: awsCredentials.AccessKeyId,
-        secretAccessKey: awsCredentials.SecretAccessKey,
-        sessionToken: awsCredentials.SessionToken
-      },
-      region: envInfo.deployment.aws_region
-    })
-
-    // Fetch the ECR docker authentication token
-    logger.debug('Fetch ECR login credentials from AWS')
-    const command = new GetAuthorizationTokenCommand({})
-    const response = await client.send(command)
-    if (!response.authorizationData || response.authorizationData.length === 0 || !response.authorizationData[0].authorizationToken || !response.authorizationData[0].proxyEndpoint) {
-      throw new Error('Received an empty authorization token response for ECR repository')
+    // Sanity check that response is of the right structure
+    const envDetails = await response.json() as EnvironmentDetails
+    logger.debug(`Received environment details: ${JSON.stringify(envDetails)}`)
+    if (!envDetails.deployment) {
+      throw new Error(`Received invalid environment details -- missing .deployment: ${JSON.stringify(envDetails)}`)
     }
 
-    // Parse username and password from the response (separated by a ':')
-    logger.debug('Parse ECR response')
-    const registryUrl = response.authorizationData[0].proxyEndpoint
-    const authorization64 = response.authorizationData[0].authorizationToken
-    const authorization = Buffer.from(authorization64, 'base64').toString()
-    const [username, password] = authorization.split(':')
-    logger.debug(`ECR: username=${username}, proxyEndpoint=${registryUrl}`)
-
-    return {
-      username,
-      password,
-      registryUrl
-    } satisfies DockerCredentials
+    return envDetails.deployment.server_hostname
   }
 }