search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
899 stars 94 forks source link

[Feat]: Support for AWS ECR Authentication with Temporary Tokens #2650

Open tamilhce opened 2 weeks ago

tamilhce commented 2 weeks ago

Title: Support for AWS ECR Authentication with Temporary Tokens

Description

We have configured AWS ECR as a sync registry for Zot running in our local cluster. Currently, Zot expects registry credentials in the following format:

"registry2:5000": {
    "username": "user2",
    "password": "pass2"
}

However, AWS ECR provides temporary tokens for authentication, as described in the AWS ECR documentation. For Docker, the amazon-ecr-credential-helper manages this by setting the token in the format expected by the Docker daemon, which is the standard for accessing ECR.

I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed. I would appreciate your valuable suggestions and feedback on the best approach for this enhancement.

rchincha commented 2 weeks ago

@tamilhce thanks for trying out zot.

Looks like there is a requirement for a per-upstream credentials helper. There will need to be changes in the config model and some backend code.

For the sync (mirroring) feature, zot is both a server and a client, so expect some of these issues to pop up.

I am opening this ticket to discuss potential options for handling ECR's temporary token mechanism in Zot. I'm happy to contribute by adding an extension to Zot if needed.

Always happy to receive PR/contributions if it helps/enables use cases.

Pls take a look at our existing config model and post a draft PR. We can iterate on it.

tamilhce commented 6 days ago

Sure, @rchincha. In the meantime, I reviewed the amazon-ecr-credential-helper. I don’t think we can directly leverage it because amazon-ecr-credential-helper installed on each node. This requires Zot to have access to the root filesystem.

Instead, we could implement something like:

"registry2:5000": {
  "credential-store": "ecr"
}

In this approach, Zot would manage ECR credentials directly based on the credential-store. We can give the Zot pod access to ECR by assigning the appropriate IAM roles(similar to https://zotregistry.dev/v2.0.0/articles/storage/#configuring-remote-storage-with-s3) . The AWS profile attached to the pod should follow a similar role setup:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:GetRepositoryPolicy",
        "ecr:DescribeRepositories",
        "ecr:ListImages",
        "ecr:DescribeImages",
        "ecr:BatchGetImage",
        "ecr:GetLifecyclePolicy",
        "ecr:GetLifecyclePolicyPreview",
        "ecr:ListTagsForResource",
        "ecr:DescribeImageScanFindings"
      ],
      "Resource": "*"
    }
  ]
}

We can fetch the authorization token using the go AWS SDK, similar to this command, and ensure the token stays up to date by periodically validating its expiration:

TOKEN=$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')

Then, update the requests with the corresponding token for API authentication, as shown below:

curl -i -H "Authorization: Basic $TOKEN" https://aws_account_id.dkr.ecr.region.amazonaws.com/v2/amazonlinux/tags/list

I haven’t had the chance to work on this yet, but I’ll prioritize it for next week.