Skip to content

AWS Elastic Container Registry

ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. For more information, see registry authentication in the Amazon Elastic Container Registry User Guide.

Output Keys and Values

Key Description
username username for the docker login command.
password password for the docker login command.
proxy_endpoint The registry URL to use for this authorization token in a docker login command.
expires_at time when token expires in UNIX time (seconds since January 1, 1970 UTC).

Authentication

You can choose from three authentication mechanisms:

  • static credentials using spec.auth.secretRef
  • point to a IRSA Service Account with spec.auth.jwt
  • use credentials from the SDK default credentials chain from the controller environment

Example Manifest

apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
spec:

  # specify aws region (mandatory)
  region: eu-west-1

  # assume role with the given authentication credentials
  role: "my-role"

  # choose an authentication strategy
  # if no auth strategy is defined it falls back to using
  # credentials from the environment of the controller.
  auth:

    # 1: static credentials
    # point to a secret that contains static credentials
    # like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
    secretRef:
      accessKeyIDSecretRef:
        name: "my-aws-creds"
        key: "key-id"
      secretAccessKeySecretRef:
        name: "my-aws-creds"
        key: "access-secret"

    # option 2: IAM Roles for Service Accounts
    # point to a service account that should be used
    # that is configured for IAM Roles for Service Accounts (IRSA)
    jwt:
      serviceAccountRef:
        name: "oci-token-sync"