-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feat]: Support for AWS ECR Authentication with Temporary Tokens #2650
Comments
@tamilhce thanks for trying out zot. Looks like there is a requirement for a per-upstream credentials helper. For the
Always happy to receive PR/contributions if it helps/enables use cases. Pls take a look at our existing config model and post a draft PR. We can iterate on it. |
Sure, @rchincha. In the meantime, I reviewed the amazon-ecr-credential-helper. I don’t think we can directly leverage it because amazon-ecr-credential-helper installed on each node. This requires Zot to have access to the root filesystem. Instead, we could implement something like: "registry2:5000": {
"credential-store": "ecr"
} In this approach, Zot would manage ECR credentials directly based on the credential-store.
We can fetch the authorization token using the go AWS SDK, similar to this command, and ensure the token stays up to date by periodically validating its expiration:
Then, update the requests with the corresponding token for API authentication, as shown below:
I haven’t had the chance to work on this yet, but I’ll prioritize it for next week. |
Sorry for the delay in responding. The feature is now code complete: FYI (https://github.com/tamilhce/zot/tree/tamilhce/ecr-cred-helper). Before creating the pull request, I will test this locally and check if I can add additional test cases. |
@tamilhce pls submit your PR. The approach overall looks fine to me. Let others take a look also. |
I have submitted the PR against the master branch now |
Title: Support for AWS ECR Authentication with Temporary Tokens
Description
We have configured AWS ECR as a sync registry for Zot running in our local cluster. Currently, Zot expects registry credentials in the following format:
However, AWS ECR provides temporary tokens for authentication, as described in the AWS ECR documentation. For Docker, the amazon-ecr-credential-helper manages this by setting the token in the format expected by the Docker daemon, which is the standard for accessing ECR.
I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed. I would appreciate your valuable suggestions and feedback on the best approach for this enhancement.
The text was updated successfully, but these errors were encountered: