Public Repository

Last pushed: a year ago
Short Description
Simple means of updating Docker credentials for ECR use outside of AWS
Full Description

ECR-Credentials-Fetcher

Repo here

Using Amazon's EC2 Container Registry (ECR) from outside of the AWS cloud requires regular re-authentication (currently every 12 hours). This poses problems for automated builds and deployments. This container is an as-simple-as-possible solution to that problem. In Kubernetes, there are other solutions (i.e., using ServiceAccounts, ImagePullSecrets or waiting for this to be built in). This solution uses an AWS token with permissions to log in to ECR and refreshed the login credentials at a given interval.

WARNING: This has only been tested using CoreOS hosts. Since there is some volume-mount trickery and use of the docker binary from the host in the container, you mileage may vary. For this same reason, you should evaluate the security readiness of this solution for you environment.

Using the image with Kubernetes

  1. Create an AWS user with only the arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly policy applied. Create an Access Key pair for this user.
  2. The k8s/ecr-credentials-fetcher-daemonset.yml can be customized to create a DaemonSet that will keep all nodes in a cluster capable of working with ECR. If you are using the repo/Makefile, it is capable of doing this customization.
  3. Set up a Secret named ecr-credentials-fetcher-secret. Update the k8s/create_secret script with the AWS credentials obtained in the first step and use it to create the secret.

     k8s/create_secret
    
  4. Create the DaemonSet.

     kubectl apply -f k8s-rendered/ecr-credentials-fetcher-daemonset.yml
    
  5. Verify that you can pull (or push) images to ECR as needed.

Assumptions

  • The following awscli-required variables are passed in. In Kubernetes, these are assumed to be part of the Secret used by the pod.
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • AWS_DEFAULT_REGION
  • The user running the container has the appropriate .docker/config.json directory mounted from the host (i.e., /root/.docker/ or /var/lib/kubelet/). This should be mounted into the the container at /root/.docker/.
  • The docker client binary from the host is volume mounted into the container and runnable there.
Docker Pull Command
Owner
returnpath

Comments (0)