Paul Thomson

I'm seeing the same issue

Yeah, I added the above to get around Admission Webhook constraints at my company (mandatory labels), and at the time it was unknown whether just labels would be enough, or...

Not sure if the `deployment` is failing due to my change, if it looks that way let me know :)

I understand that it's intended behaviour, but the presence of the environment variable seems to be explicitly tied to the annotation existing on the ServiceAccount ([only sets the roleARN if...

I don't know if that's the correct fix, rather shouldn't it be doing what [this line](https://github.com/awslabs/amazon-ecr-credential-helper/blob/5c087f35e29c21d4e42a4c999c7e6c4cad32d7db/ecr-login/api/client.go#L249) is doing? That function is called by `docker login` which you don't technically need...

(Just a drive-by observer, but) presumably you'd need to do an `sts.assumeRoleWithWebIdentity` i.e.: ``` aws sts assume-role-with-web-identity --role-arn --role-session-name --web-identity-token ``` first then then cred helper would work? And you'd...

Of course, I didn't think of the context of where Kaniko runs 🤦‍♂️ Are you running it in EKS? That would at least open the door to [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)

Never mind me then 😛