Kaniko: Support native AWS IAM integration with updated docker-credential-ecr-login

Created on 18 Sep 2019  路  7Comments  路  Source: GoogleContainerTools/kaniko

There is now native integration with AWS IAM using Kubernetes ServiceAccounts: https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/. This requires all SDK's used to interact with AWS to support this however. As we use kaniko to build images on AWS Kubernetes clusters, it would be great if kaniko shipped with a docker-credential-ecr-login binary that supports this native IAM.

I've opened a PR in the amazon-ecr-credential-helper repo to update the SDK: https://github.com/awslabs/amazon-ecr-credential-helper/pull/183.

I'm opening this issue so the kaniko Docker image can get updated with a new binary when a new amazon-ecr-credential-helper gets released.

areregistry kinfeature-request prioritp2
Source
picture siwyd

Most helpful comment

@tejal29 After the PR merge (https://github.com/awslabs/amazon-ecr-credential-helper/pull/183), amazon-ecr-credential-helper master branch now supports native Kubernetes AWS IAM integration. Would it be possible perhaps to build a new kaniko release so this is supported in the upstream kaniko container image?

picture siwyd on 28 Oct 2019
👍4

All 7 comments

@tejal29 After the PR merge (https://github.com/awslabs/amazon-ecr-credential-helper/pull/183), amazon-ecr-credential-helper master branch now supports native Kubernetes AWS IAM integration. Would it be possible perhaps to build a new kaniko release so this is supported in the upstream kaniko container image?

siwyd picture siwyd on 28 Oct 2019
👍4

Is this solved with the new release?

patstrom picture patstrom on 18 Nov 2019

Can someone confirm that the 0.15.0 is compatible with IRSA ?

antiqe picture antiqe on 12 Jan 2020

The image at gcr.io/kaniko-project/executor:debug-v0.16.0 does contain the latest release of docker-credential-ecr-login: 0.4.0, from Jan 6th and containing the IRSA feature. However, I still cannot get kaniko to retrieve the correct credentials. I always end up with the Instance Profile credentials instead of those from the Kubernetes service account.

I have verified that the correct AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE values are set according to IRSA. I don't see why I get the instance credentials.

dlaidlaw picture dlaidlaw on 11 Feb 2020

It works by setting the following environment variable: AWS_SDK_LOAD_CONFIG=true

diist picture diist on 25 Feb 2020

If running on an EC2 instance with an instance profile, you may also need to set: AWS_EC2_METADATA_DISABLED=true In my case kaniko kept getting the EC2 instance profile role credentials instead. This disables the instance profile role credentials and kaniko then gets the expected credentials.

To be clear, set both AWS_EC2_METADATA_DISABLED and AWS_SDK_LOAD_CONFIG as mentioned above to true on EC2 instances with instance profiles.

dlaidlaw picture dlaidlaw on 25 Feb 2020

In my case, running the debug image on kubernetes, I had to overwrite the docker config first:

echo '{"credsStore":"ecr-login"}' > /kaniko/.docker/config.json
/kaniko/executor --context `pwd` --destination xxxxxxxxxxxxx.dkr.ecr.us-east-1.amazonaws.com/app:latest
gsf picture gsf on 16 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

danilorsilva picture danilorsilva  路  3Comments
priyawadhwa picture priyawadhwa  路  4Comments
r2d4 picture r2d4  路  5Comments
den-is picture den-is  路  3Comments
fkorotkov picture fkorotkov  路  3Comments