AWS Elastic Container Registry
ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. For more information, see registry authentication in the Amazon Elastic Container Registry User Guide.
Output Keys and Values
Key | Description |
---|---|
username | username for the docker login command. |
password | password for the docker login command. |
proxy_endpoint | The registry URL to use for this authorization token in a docker login command. |
expires_at | time when token expires in UNIX time (seconds since January 1, 1970 UTC). |
Authentication
You can choose from three authentication mechanisms:
- static credentials using
spec.auth.secretRef
- point to a IRSA Service Account with
spec.auth.jwt
- use credentials from the SDK default credentials chain from the controller environment
Example Manifest
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
spec:
# specify aws region (mandatory)
region: eu-west-1
# assume role with the given authentication credentials
role: "my-role"
# choose an authentication strategy
# if no auth strategy is defined it falls back to using
# credentials from the environment of the controller.
auth:
# 1: static credentials
# point to a secret that contains static credentials
# like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
secretRef:
accessKeyIDSecretRef:
name: "my-aws-creds"
key: "key-id"
secretAccessKeySecretRef:
name: "my-aws-creds"
key: "access-secret"
# option 2: IAM Roles for Service Accounts
# point to a service account that should be used
# that is configured for IAM Roles for Service Accounts (IRSA)
jwt:
serviceAccountRef:
name: "oci-token-sync"