/rancher-ecr-credentials

Docker container to periodically update the Credentials for an AWS Elastic Container Registry in Rancher

Primary LanguageGoApache License 2.0Apache-2.0

Rancher ECR Credentials Updater

This is Docker container that when executed will update the Docker registry credentials in Rancher for an Amazon Elastic Container Registry.

Why is this needed?

Because access to ECR is controlled with AWS IAM. An IAM user must request a temporary credential to the registry using the AWS API. This temporary credential is then valid for 12 hours.

Rancher only supports registries that authenticate with a username and password.

How to use

In order to authenticate with AWS ECR, this Docker container uses the default chain of credential providers.

The only requirement for running this application is to specify the AWS region using the AWS_REGION environment variable.

AWS credentials are loaded using the default AWS credential chain. Credentials are loaded in the following order:

  1. Environment variables (Specify AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN (optional))
  2. Shared credentials file (mount a volume to /root/.aws that contains credentials and config files and specify AWS_PROFILE)
  3. IAM Instance Profile (if running on EC2)

NOTE: Cross account roles are not currently supported.

Add the following labels to the service in Rancher:

  • io.rancher.container.create_agent: true
  • io.rancher.container.agent.role: environment

These labels will cause Rancher to provision an API key for this service and create the CATTLE_URL, CATTLE_ACCESS_KEY, and CATTLE_SECRET_KEY environment variables.

Running container outside of Rancher

If you are running this container outside of a Rancher managed environment, then you must provide the following environment variables in additional to the ones above.

  • CATTLE_URL - the url of the Rancher server to update
  • CATTLE_ACCESS_KEY
  • CATTLE_SECRET_KEY
$ docker run -d -e AWS_REGION=us-east-1 -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -e CATTLE_URL=http://rancher.mydomain.com -e CATTLE_ACCESS_KEY=$CATTLE_ACCESS_KEY -e CATTLE_SECRET_KEY=$CATTLE_SECRET_KEY objectpartners/rancher-ecr-credentials:latest

Notes

The AWS credentials must correspond to an IAM user that has permissions to call the ECR GetToken API. The application then parses the resulting response to retrieve the ECR registry URL, username, and password. The returned registry URL, is used to discover the corresponding registry in Rancher.

Rancher stores registries by environment. If multiple environments exists, one instance of this container must be run per environment. Rancher credentials are tied to an environment, so specifying them will indicate which environment to update in Rancher.

NOTE: This application runs on a 6 hour loop. It's possible there could be a slight gap where the credentials expire before this program updates them.