How to Configure a ROSA cluster to authenticate with AWS Elastic Container Registry (ECR)
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4.x
- AWS Elastic Container Registry (ECR)
Issue
- AWS ECR tokens expire every 12 hours. When using a secret to authenticate to AWS ECR re-authenticate is required every 12 hours
- Is there an automated build-in solution to address the rotation of the AWS ECR token?
Resolution
-
To authenticate requests coming from node level, for operations like pull operation, attach ECR policy to worker node role.
For detailed explanation please refer to Configuring a ROSA cluster to pull images from AWS elastic container registry (ECR)- note: Pay attention that when attaching the AWS ECR policy to the worker role it would apply to every cluster in your account.
-
To authenticate requests coming from pod level, for pods like S2I, ArgoCD etc, you can not rely on the ECR policy attached to the worker node role since the pod is not aware of it.
You have to create a secret and maintain the ECR token rotation.
You can use the ECR secret community operator. This operator frequently talks with AWS ECR GetAuthorization Token and create/update the secret, so that the service account can perform operation against the AWS ECR.
For more details refer to ECR secret operator
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments