anchore
Feature Request: Native Support for AWS Elastic Container Registry (ECR)
What would you like to be added:
Hi, we are working with grype as an admission controller and we are running it in an AWS EKS environment where images are stored in ECR.
Why is this needed:
When grype pulls an image from a private registry, it uses credentials stored in a docker config.json file. However, authenticating with AWS ECR requires an initial login step. On the command line this looks like this:
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPO
While you could store the credentials in plaintext in that file, that seems insecure and the ECR creds are temporary.
It would be helpful if grype was capable of performing this authentication step, or if it was capable of pulling credentials directly from the AWS credential provider chain.
Additional context:
We are playing around with adding the ECR credential helper tool to a custom grype image, will report back if it works.
Looks like grype uses stereoscope as a provider, and an issue for ECR support is open there as well: https://github.com/anchore/stereoscope/issues/65
To add some follow-up information: we found out that the ECR credential helper tool wouldn't work, I believe it is intended to be used when there is a Docker daemon running.
Instead we managed to generate creds for grype by running a kubernetes cronjob to periodically generate ECR credentials and store them in a docker config.json file that grype can use.
Native support is definitely still preferred as it would involve fewer moving parts.
Hi @mvs5465! Thanks for the detail surrounding the credential helper's inability to be used in this case.
We can start investigating what native support looks like for this, but have a couple of other things in flight right now that we're trying to land for the project. PRs are welcome here and I'm happy to help get a PR you submit into a state where it can be merged into the project.
