Spinnaker + ECR access

Question

I'm having trouble setting up Spinnaker with ECR access.

Background: I installed spinnaker using helm on an EKS cluster and I've confirmed that the cluster has the necessary ECR permissions (by manually running ECR commands from within the clouddriver pod). I am following the instructions here to get Spinnaker+ECR set up: https://www.spinnaker.io/setup/install/providers/docker-registry/

Issue: When I run:

hal config provider docker-registry account add my-ecr-registry \
--address $ADDRESS \
--username AWS \
--password-command "aws --region us-west-2 ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | sed 's/^AWS://'"

I get the following output:

+ Get current deployment
  Success
- Add the some-ecr-registry account
  Failure
Problems in default.provider.dockerRegistry.some-ecr-registry:
- WARNING Resolved Password was empty, missing dependencies for
  running password command?
- WARNING You have a supplied a username but no password.
! ERROR Unable to fetch tags from the docker repository: code, 400
  Bad Request
? Can the provided user access this repository?
- WARNING None of your supplied repositories contain any tags.
  Spinnaker will not be able to deploy any docker images.
? Push some images to your registry.
Problems in halconfig:
- WARNING There is a newer version of Halyard available (1.28.0),
  please update when possible
? Run 'sudo apt-get update && sudo apt-get install
  spinnaker-halyard -y' to upgrade
- Failed to add account some-ecr-registry for provider
  dockerRegistry.

I have confirmed that the aws-cli is installed on the clouddriver pod. And I've confirmed that I can the password-command directly from the clouddriver pod and it successfully returns a token.
I've also confirmed that if I manually generate an ECR token and run hal config provider docker-registry account add my-ecr-registry --address $ADDRESS --username AWS --password-command "echo $MANUALLY_GENERATED_TOKEN" everything works fine. So there is something specific to the password-command that is going wrong and I'm not sure how to debug this.
One other odd behavior: if I simplify the password command to be: hal config provider docker-registry account add some-ecr-registry --address $ADDRESS --username AWS --repositories code --password-command "aws --region us-west-2 ecr get-authorization-token" , I get an addt'l piece of output that says "- WARNING Password command returned non 0 return code stderr/stdout was:bash: aws: command not found". This output only appears for this simplified command.

Any advice on how to debug this would be much appreciated.

If this command is working aws --region us-west-2 ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | sed 's/^AWS:// I would simply send it to a variable PASSWORD="aws --region us-west-2 ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d | sed 's/^AWS://" and use as in run hal config provider docker-registry account add my-ecr-registry --address $ADDRESS --username AWS --password-command "echo $PASSWORD". — Mark Watney, Commented Nov 25, 2019 at 10:04

miggy282 · Accepted Answer · 2020-07-08 09:36:56Z

If like me your ECR registry is in another account, then you have to forcibly assume the role for the target account where your registry resides

passwordCommand: read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN <<< `aws sts assume-role --role-arn arn:aws:iam::<AWS_ACCOUNT>:role/<SPINNAKER ROLE_NAME> --query "[Credentials.AccessKeyId, Credentials.SecretAccessKey, Credentials.SessionToken]" --output text --role-session-name spinnakerManaged-w2`; export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN; aws ecr get-authorization-token --region us-west-2 --output text --query 'authorizationData[].authorizationToken' --registry-ids <AWS_ACCOUNT> | base64 -d | sed 's/^AWS://'

Credits to https://github.com/spinnaker/spinnaker/issues/5374#issuecomment-607468678

Andre Leon Rangel · Accepted Answer · 2020-03-04 03:37:56Z

I also installed Spinnaker on AKS and all i did was by using an AWS Managing User with the correct AWS IAM policy to ECR:* i have access to the ECR repositories directly. I dont think that hal being java based will execute the Bash command in --password-command

set the AWS ECS provider in your spinnaker deployment
Use the Following AWS IAM policy (SpinnakerManagingPolicy) to be attached to the AWS MAnaging User to give access to ECR. Please replace the AWS Accounts based on your need.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudformation:*",
                "ecr:*"                
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1",
                "arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2",
                "arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3"
            ],
            "Effect": "Allow"
        }
    ]
}

Collectives™ on Stack Overflow

Spinnaker + ECR access

2 Answers 2

Not the answer you're looking for? Browse other questions tagged
amazon-web-services
kubernetes
spinnaker
amazon-ecr
or ask your own question.

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Not the answer you're looking for? Browse other questions tagged amazon-web-serviceskubernetesspinnakeramazon-ecr or ask your own question.

Related

Not the answer you're looking for? Browse other questions tagged
amazon-web-services
kubernetes
spinnaker
amazon-ecr
or ask your own question.