-
Notifications
You must be signed in to change notification settings - Fork 497
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ecr-credential-provider: use custom AWS_PROFILE #3723
Comments
@johanvandeweerd Thanks for raising the issue. We will look in to this and come back to you. |
Hi @johanvandeweerd, sorry for the late response.
Currently, the only place in Bottlerocket where |
Thanks for the response @arnaldo2792. Will you keep this issue open to track the outcome of any team discussions? My biggest concern is to depend on this feature and it breaking down the road when other services also start to use that AWS profile because we have a very specific and limited role that we want to use for the credentials provider. |
Yeah, I'll keep this issue open for discussion since I think your use case is something that others might run into later. I'll post an update later on 👍 . |
Image I'm using:
What I expected to happen:
Setting
AWS_PROFILE
environment variable forecr-credential-provider
configures the AWS profile used by theecr-crendentials-provider
.What actually happened:
The
AWS_PROFILE
environment variable is set twice: once with the configured value, once with valuedefault
.How to reproduce the problem:
Add an AWS profile that is used by
ecr-credential-provider
:The
config
value base64-decoded equals toSet the
AWS_PROFILE
usingapiclient
:Also tried the following
userData
with Karpenter but that doesn't seem to be picked up. Will file an issue with Karpenter.Additional information:
We have an EKS cluster in AWS account A and want it to pull images from the ECR registry of AWS account B. We try to configure the
ecr-credential-provider
to use an AWS profile that assumes a role of account B that has readonly access to the ECR registry of account B.I've seen we can also configure settings.aws.profile and set that (in this case) to
ecr
. This seems to work but does that mean everything that needs AWS services are using theecr
profile? We want to restrict ONLY theecr-credential-provider
to theecr
role/profile.The text was updated successfully, but these errors were encountered: