AWS Elastic Container Registry
ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. For more information, see registry authentication in the Amazon Elastic Container Registry User Guide.
Output Keys and Values
|username||username for the
|password||password for the
|proxy_endpoint||The registry URL to use for this authorization token in a
|expires_at||time when token expires in UNIX time (seconds since January 1, 1970 UTC).|
You can choose from three authentication mechanisms:
- static credentials using
- point to a IRSA Service Account with
- use credentials from the SDK default credentials chain from the controller environment
apiVersion: generators.external-secrets.io/v1alpha1 kind: ECRAuthorizationToken spec: # specify aws region (mandatory) region: eu-west-1 # assume role with the given authentication credentials role: "my-role" # choose an authentication strategy # if no auth strategy is defined it falls back to using # credentials from the environment of the controller. auth: # 1: static credentials # point to a secret that contains static credentials # like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY secretRef: accessKeyIDSecretRef: name: "my-aws-creds" key: "key-id" secretAccessKeySecretRef: name: "my-aws-creds" key: "access-secret" # option 2: IAM Roles for Service Accounts # point to a service account that should be used # that is configured for IAM Roles for Service Accounts (IRSA) jwt: serviceAccountRef: name: "oci-token-sync"