Skip to content
/ ecr-k8s-secret-creator Public

Allowing K8S to refresh expiring ECR tokens outside of EKS

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

dispatchitinc/ecr-k8s-secret-creator

BranchesTags

Repository files navigation

Go Report Card

ECR K8S Secret Creator

This application refreshes the ECR tokens that expire every 12 hours. EKS has this capability built into the IAM roles, but when running outside of EKS you'll need to manage this functionality yourself with an instance profile. There are many solutions for this like including a cron job and a third-party aws-kubectl image, but this solution worked best for us because:

  • Uses a distroless container
  • Deploy your own container (don't trust unvetted 3rd party images)
  • Easier to manage logs
  • Version lock your docker containers (not using latest)
  • Uses roles/creds/etc. to generate the secret
  • Helm chart for installation
  • Deploy the secret to multiple namespaces
  • SBOM generated for every version

This application creates a docker config.json (as a Kubernetes secret) that can authenticate docker clients to Amazon ECR. It is using the ECR GetAuthorizationToken API to fetch the token from a specific AWS region.

Installation

You can add the helm chart below with a custom values.yaml file to override your specific settings.

helm repo add dispatch-secret-creator https://dispatchitinc.github.io/ecr-k8s-secret-creator/
helm install ecr-k8s-secret-creator dispatch-secret-creator/ecr-k8s-secret-creator

IAM Policy

You will need to set up an IAM policy that is attached to an AWS EC2 IAM Role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}
aws iam create-policy \
  --policy-name ${GET_ECR_AUTH_IAM_POLICY} \
  --policy-document file://iam-policy.json \
  --description "A policy that can get ECR authorization token"

IAM Role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${AWS_PROFILE}:role/${IAM_K8S_NODE_ROLE}"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
aws iam create-role \
  --role-name ${GET_ECR_AUTH_IAM_ROLE} \
  --assume-role-policy-document file://ec2-iam-trust.json

Attaching the Policy

aws iam attach-role-policy \
  --role-name ${GET_ECR_AUTH_IAM_ROLE} \
  --policy-arn arn:aws:iam::${AWS_PROFILE}:policy/${GET_ECR_AUTH_IAM_POLICY}

Contributors

A special thanks to @bzon for the initial thoughts.

About

Allowing K8S to refresh expiring ECR tokens outside of EKS

Topics

kubernetes ecr ecr-repositories secrets-management

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

4 watching

Forks

0 forks
Report repository

Releases 19

ecr-k8s-secret-creator-0.2.25 Latest
Sep 16, 2024
+ 18 releases

Packages

 
 
 

Contributors 5

Languages