argo-helm
argo-helm copied to clipboard
Serviceaccount is not working in Argoimage updater
Describe the bug
getting error though iam-role with ECR read policy is attached to service account
level=error msg="Could not set registry endpoint credentials: invalid script output, must be single line with syntax <username>:<password>"
To confirm the above tried to execute into pod and given the command
aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d
getting error as Unable to locate credentials. You can configure credentials by running "aws configure".
So we can conclude that service account is not working properly.
Related helm chart
argocd-image-updater
Helm chart version
0.8.0
To Reproduce
Follow similar configuration to reproduce
Expected behavior
Could not set registry endpoint credentials: invalid script output, must be single line with syntax <username>:<password>"
Screenshots
No response
Additional context
registry conf:
registries:
- name: ECR
api_url: https://accountid.dkr.ecr.us-east-1.amazonaws.com/
prefix: accountid.dkr.ecr.us-east-1.amazonaws.com
ping: yes
insecure: no
credentials: ext:/scripts/auth1.sh
credsexpire: 10h
scripts:
authScripts:
enabled: true
scripts:
auth1.sh: |
#!/bin/sh
aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d
serviceaccount
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::accountid:role/ecrread
name: ""
Iam role has ECR read only policy which is :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:ListTagsForResource",
"ecr:DescribeImageScanFindings"
],
"Resource": "*"
}
]
}
As a workarround tried to set creds through aws configure in the script itself which is not an ideal way
authScripts:
enabled: true
scripts:
auth1.sh: |
#!/bin/sh
aws configure set aws_access_key_id ####ZHFOUNU###
aws configure set aws_secret_access_key #####+7EV/NkyqLAHK0C######
aws ecr --region $AWS_REGION get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.