You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AWS ECR requires a cli login before any docker image push or pull. I currently have my jenkins job running the aws ecr get-login command. However, I prefer not install the amazon toolkit on all my build infrastructure and require all our developers to also install the amazon toolkit.
I would like to submit a PR that would invoke the GetAuthorizationToken api to exchange AWS IAM credentials for temporary ECR credentials. This PR would augment the AuthConfigFactory. Any login credentials specified for an ECR repository would be considered IAM credentials needing exchange.
An ECR repository has a URL of form https://awsAccountId.dkr.ecr.awsRegion.amazonaws.com/repositoryName
Should credentials explicitly specified with docker.* properties be exchanged?
Should credentials from ~/.config/kube be exchanged?
Should credentials provided in plugin configuration be exchanged?
Should credentials from .m2/settings be exchanged?
Should credentials from ~/.docker/config.json be exchanged?
Should there be a flag to prevent the exchange?
I'm thinking that credentials 1, 2, 3, 4 should be exchanged. ~/.docker/config.json likely contains already exchanged credentials. ~/.config/kube likely contains IAM credentials, as kubernetes "will fetch and periodically refresh ECR credentials" .
The text was updated successfully, but these errors were encountered:
If I understand you right, d-m-p would do an exchange to obtain an AWS token when it detects that in pulls or pushes ECR is used.
This token is then used as password, right ?
Would it be harmful to always do the exchange ? And that point in the code the credentials has been already picked up from the various places so maybe we do not need distinguish all the cases above.
There should be a flag to opt-out for this feature if people want todo the authorization on their own.
AWS ECR requires a cli login before any docker image push or pull. I currently have my jenkins job running the
aws ecr get-login
command. However, I prefer not install the amazon toolkit on all my build infrastructure and require all our developers to also install the amazon toolkit.I would like to submit a PR that would invoke the GetAuthorizationToken api to exchange AWS IAM credentials for temporary ECR credentials. This PR would augment the AuthConfigFactory. Any login credentials specified for an ECR repository would be considered IAM credentials needing exchange.
An ECR repository has a URL of form https://awsAccountId.dkr.ecr.awsRegion.amazonaws.com/repositoryName
I'm thinking that credentials 1, 2, 3, 4 should be exchanged. ~/.docker/config.json likely contains already exchanged credentials. ~/.config/kube likely contains IAM credentials, as kubernetes "will fetch and periodically refresh ECR credentials" .
The text was updated successfully, but these errors were encountered: