argo-helm icon indicating copy to clipboard operation
argo-helm copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Serviceaccount is not working in Argoimage updater

Open samba1112 opened this issue 1 year ago • 1 comments

Describe the bug

getting error though iam-role with ECR read policy is attached to service account level=error msg="Could not set registry endpoint credentials: invalid script output, must be single line with syntax <username>:<password>"

To confirm the above tried to execute into pod and given the command aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d getting error as Unable to locate credentials. You can configure credentials by running "aws configure".

So we can conclude that service account is not working properly.

Related helm chart

argocd-image-updater

Helm chart version

0.8.0

To Reproduce

Follow similar configuration to reproduce

Expected behavior

Could not set registry endpoint credentials: invalid script output, must be single line with syntax <username>:<password>"

Screenshots

No response

Additional context

registry conf:

registries:
  - name: ECR
    api_url: https://accountid.dkr.ecr.us-east-1.amazonaws.com/
    prefix: accountid.dkr.ecr.us-east-1.amazonaws.com
    ping: yes
    insecure: no
    credentials: ext:/scripts/auth1.sh
    credsexpire: 10h

scripts:

authScripts:
  enabled: true
  scripts:
    auth1.sh: |
      #!/bin/sh
      aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d

serviceaccount

serviceAccount:
  create: true
  annotations: 
    eks.amazonaws.com/role-arn: arn:aws:iam::accountid:role/ecrread
  name: ""

Iam role has ECR read only policy which is :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:GetLifecyclePolicy",
                "ecr:GetLifecyclePolicyPreview",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings"
            ],
            "Resource": "*"
        }
    ]
}

samba1112 avatar Jul 13 '22 16:07 samba1112

As a workarround tried to set creds through aws configure in the script itself which is not an ideal way

authScripts:

enabled: true
scripts:
  auth1.sh: |
    #!/bin/sh
    aws configure set aws_access_key_id ####ZHFOUNU###
    aws configure set aws_secret_access_key #####+7EV/NkyqLAHK0C######
    aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64

samba1112 avatar Jul 13 '22 16:07 samba1112

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 04 '22 03:10 github-actions[bot]