kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

How to install aws cli inside kaniko image ?

Open abhinav5656 opened this issue 2 years ago • 4 comments

Hello,

I have a requirement to run aws command (aws sts assume-role-with-web-identity) inside kaniko container. How can we do that ?

abhinav5656 avatar Jul 22 '22 05:07 abhinav5656

Which environment are you using to run kaniko? If it is EKS, or AWS Code Build, we can consider using other solution to configure AWS role I think.

phongvq avatar Jul 23 '22 05:07 phongvq

I am using gitlab runner to run kaniko.

abhinav5656 avatar Jul 24 '22 02:07 abhinav5656

Got a similar usecase but I have to delete an image tag with the aws ecr command

GertVil avatar Aug 16 '22 20:08 GertVil

Hello,

I have a requirement to run aws command (aws sts assume-role-with-web-identity) inside kaniko container. How can we do that ?

Using kubernetes? You can do so with initContainer

liranbg avatar Sep 02 '22 18:09 liranbg

I too would be interested in how to get kaniko to assume a web identity role ( running inside EKS in a Gitlab Enterprise CI pipeline ). Tried with service account with attached iam role and AWS_ROLE_ARN env var , it did not pick it up...

adrianmiron avatar Feb 21 '23 08:02 adrianmiron

amazon-ecr-credential-helper v0.5.0 onwards supports reading of config from ~/.aws/config, which includes web identities.

Reference: https://github.com/awslabs/amazon-ecr-credential-helper/pull/201 Sample Gitlab project: https://gitlab.com/guided-explorations/aws/configure-openid-connect-in-aws/-/blob/main/.gitlab-ci.yml#L15

So all we need to do now in your build job, is to set up ~/.aws/config with the correct role_arn and identity_token (which should be CI_JOB_JWT_V2).

before_script:
    - mkdir -p ~/.aws
    - echo "${CI_JOB_JWT_V2}" > /tmp/web_identity_token
    - echo -e "[default]\nrole_arn=${ROLE_ARN}\nweb_identity_token_file=/tmp/web_identity_token" > ~/.aws/config

bakavic avatar Mar 06 '23 06:03 bakavic

alternatively, you can have the amazon-ecr-credential-helper pick up the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN from ENV variables. Those can be generated with aws-cli installed on Kaniko:

FROM alpine
RUN apk add --no-cache jq curl python3 py3-pip gettext libintl bash && pip install awscli
COPY --from=gcr.io/kaniko-project/executor:debug /kaniko/executor /kaniko/executor

# assume-role
aws sts assume-role --output json --query 'Credentials' --role-arn $ASSUME_ROLE_ARN --role-session-name $SESSION_NAME

and run Kaniko image smth like this:

/kaniko/executor ... --destination $ECR_REGISTRY

Hope that helps

vladiceanu avatar Jun 06 '23 13:06 vladiceanu

Yep, i did something similar, i setup the aws credential env vars in a setup stage and export them to the next steps afterwards , thanks @bakavic @vladiceanu , both your solutions work as well

adrianmiron avatar Jun 07 '23 06:06 adrianmiron

Closing as I believe the question has been answered, feel free to comment and I can re-open if there is more to discuss

aaron-prindle avatar Jun 22 '23 01:06 aaron-prindle