docker-maven-plugin icon indicating copy to clipboard operation
docker-maven-plugin copied to clipboard
verified publisher icon fabric8io

Support login to ECR with assumed IAM role from WebIdentity

Open davidkarlsen opened this issue 4 years ago • 4 comments

Description

I used the plugin fine by defining the AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_DEFAULT_REGION variables, now I want to change this to assuming webidentity/using IAM roles, see https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html for the concept.

However, defining the AWS_ROLE_ARN / AWS_WEB_IDENTITY_TOKEN_FILE / AWS_DEFAULT_REGION - authentication is not picked up automagically by the plugin.

I can however login with the same env-vars directly by using docker login etc, and hence the plugin will work too, but this requires to do some command-line toil instead of the plugin just picking up the env-vars.

I tried adding:

+        <dependencies>
+          <dependency>
+            <groupId>com.amazonaws</groupId>
+            <artifactId>aws-java-sdk-core</artifactId>
+            <version>1.12.74</version>
+          </dependency>
+        </dependencies>

as a plugin dependency, but still it won't work automatically.

Info

  • docker-maven-plugin version : 0.37.0
  • Maven version (mvn -v) : 3.8.2
  • Docker version : N/A
  • If it's a feature request, what is your use case : Login to ECR using OIDC issued tokens and assume IAM role with sts:AssumeRoleWithWebIdentity in order to eliminate use of IAM credentials.

davidkarlsen avatar Sep 26 '21 15:09 davidkarlsen

Update, it actually works out of the box if I add both these dependencies:

 <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-core</artifactId>
            <version>1.12.74</version>
          </dependency>
          <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-sts</artifactId>
            <version>1.12.74</version>
          </dependency>

and define the env-vars AWS_ROLE_ARN / AWS_WEB_IDENTITY_TOKEN_FILE / AWS_REGION (instead of AWS_DEFAULT_REGION)

davidkarlsen avatar Sep 26 '21 16:09 davidkarlsen

Thanks, Could you please review our documentation regarding ECR[0]? Do you think it requires some addition for web identity role-related use cases?

[0] http://dmp.fabric8.io/#extended-authentication

rohanKanojia avatar Sep 26 '21 17:09 rohanKanojia

@rohanKanojia It would maybe be worthwhile mentioning this use-case too. The feature of using github-actions to provide an OIDC token is fairly new though, and not officially released, but that's not really tied to this plugin as such.

davidkarlsen avatar Sep 26 '21 17:09 davidkarlsen

@davidkarlsen Could you please give full settings for ECR login? I'm getting this

[DEBUG] Dockerfile already added, skipping
[INFO] DOCKER> [<number>.dkr.ecr.eu-west-1.amazonaws.com/<image>:0.1.0-SNAPSHOT] "<service>": Created docker-build.tar in 5 seconds 
[DEBUG] DOCKER> AuthConfig: AWS credentials from AWS SDK
[DEBUG] DOCKER> registry = <number>.dkr.ecr.eu-west-1.amazonaws.com, isValid= true
[DEBUG] DOCKER> Get ECR AuthorizationToken from api.ecr.eu-west-1.amazonaws.com
[DEBUG] DOCKER> Response status 400
[ERROR] DOCKER> AWS authentication failure

ygots avatar Mar 02 '23 17:03 ygots