Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feat]: Support for AWS ECR Authentication with Temporary Tokens #2650

Open
tamilhce opened this issue Sep 16, 2024 · 6 comments
Open

[Feat]: Support for AWS ECR Authentication with Temporary Tokens #2650

tamilhce opened this issue Sep 16, 2024 · 6 comments
Labels
feature New feature or request rm-external Roadmap item submitted by non-maintainers

Comments

@tamilhce
Copy link

tamilhce commented Sep 16, 2024

Title: Support for AWS ECR Authentication with Temporary Tokens

Description

We have configured AWS ECR as a sync registry for Zot running in our local cluster. Currently, Zot expects registry credentials in the following format:

"registry2:5000": {
    "username": "user2",
    "password": "pass2"
}

However, AWS ECR provides temporary tokens for authentication, as described in the AWS ECR documentation. For Docker, the amazon-ecr-credential-helper manages this by setting the token in the format expected by the Docker daemon, which is the standard for accessing ECR.

I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed. I would appreciate your valuable suggestions and feedback on the best approach for this enhancement.

@tamilhce tamilhce added the feature New feature or request label Sep 16, 2024
@rchincha
Copy link
Contributor

@tamilhce thanks for trying out zot.

Looks like there is a requirement for a per-upstream credentials helper.
There will need to be changes in the config model and some backend code.

For the sync (mirroring) feature, zot is both a server and a client, so expect some of these issues to pop up.

I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed.

Always happy to receive PR/contributions if it helps/enables use cases.

Pls take a look at our existing config model and post a draft PR. We can iterate on it.

@rchincha rchincha added the rm-external Roadmap item submitted by non-maintainers label Sep 26, 2024
@tamilhce
Copy link
Author

Sure, @rchincha. In the meantime, I reviewed the amazon-ecr-credential-helper. I don’t think we can directly leverage it because amazon-ecr-credential-helper installed on each node. This requires Zot to have access to the root filesystem.

Instead, we could implement something like:

"registry2:5000": {
  "credential-store": "ecr"
}

In this approach, Zot would manage ECR credentials directly based on the credential-store.
We can give the Zot pod access to ECR by assigning the appropriate IAM roles(similar to https://zotregistry.dev/v2.0.0/articles/storage/#configuring-remote-storage-with-s3) . The AWS profile attached to the pod should follow a similar role setup:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:ListTagsForResource",
        "ecr:DescribeImageScanFindings"
      ],
      "Resource": "*"
    }
  ]
}

We can fetch the authorization token using the go AWS SDK, similar to this command, and ensure the token stays up to date by periodically validating its expiration:

TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')

Then, update the requests with the corresponding token for API authentication, as shown below:

curl -i -H "Authorization: Basic $TOKEN" https://aws_account_id.dkr.ecr.region.amazonaws.com/v2/amazonlinux/tags/list

I haven’t had the chance to work on this yet, but I’ll prioritize it for next week.

@tamilhce
Copy link
Author

tamilhce commented Oct 15, 2024

Sorry for the delay in responding. The feature is now code complete: FYI (https://github.com/tamilhce/zot/tree/tamilhce/ecr-cred-helper). Before creating the pull request, I will test this locally and check if I can add additional test cases.

@tamilhce
Copy link
Author

I have created the PR here. @rchincha, please review it at your convenience. I welcome your feedback and suggestions!

@rchincha
Copy link
Contributor

rchincha commented Nov 4, 2024

@tamilhce pls submit your PR. The approach overall looks fine to me. Let others take a look also.

@tamilhce
Copy link
Author

I have submitted the PR against the master branch now
#2907

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request rm-external Roadmap item submitted by non-maintainers
Projects
None yet
Development

No branches or pull requests

2 participants