ECR credentials for AWS using Vault

[fairbairn]

We've been trying to ascertain a clean way in which we can leverage Vault to provide credentials (or scripts or syntax) to a nomad job through the template, without physically colocating AWS keys/secrets onto the nomad host itself.

Is there no way to do this without touching the actual nomad server?

We'd like to be able to plan out job/tasks that cross over several ECR repositories, and private repos, not just one, and although we could put numerous profiles in the /root/.aws/credentials file, that pretty much defeats the use of Vault to keep this information out of people's hands.

We haven't found a clean way to do this.

Is this possible?

Existing cluster, already integrated with Vault. Leave it untouched. We have a new task that needs to pull the image from ECR.

[tgross]

Hi @fairbairn! We don't have a published example of that, but it seems like an obvious gap in the docs! I think you'd want to implement this as a Docker auth helper: https://www.nomadproject.io/docs/drivers/docker/#authentication, especially given the need to cross over multiple registries.

That being said, given that you're on AWS and using ECR, you might find better results from assigning an IAM role to the client nodes that has a restrictive set of permissions to pull from the ECR registry and nothing else.