Ecr

Introduction In my previous blog post I covered deploying Helm Charts from OCI registries. Today, I’d like to focus on ECR specifically and share an approach for managing access to ECR for ArgoCD in a secure and fully automated manner. Problem description For ArgoCD to access Helm charts from a private OCI registry, a set of credentials must be defined as a Kubernetes Secret object, similar to the following: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 apiVersion: v1 kind: Secret metadata: name: private-ecr-repo namespace: argocd labels: argocd.argoproj.io/secret-type: repository stringData: url: 1234567890.dkr.ecr.eu-central-1.amazonaws.com name: private-ecr type: helm enableOCI: "true" username: AWS password: <placeholder-for-aws-ecr-token> AWS credentials can be exchanged for an ECR token, for example by running aws ecr get-login-password. The challenge is that such a token is only valid for 12 hours. It can be tackled by issuing a token and updating the Secret periodically, before the token expires. ...

Introduction Since its introduction, AWS Lambda’s supported runtimes have continually expanded. Around 2020, support for containerized Lambdas was added. In this post, I’ll walk you through the permissions needed for running Lambdas with images stored in ECR. We’ll look at these scenarios: Lambda and ECR repository in the same account Lambda and ECR in different accounts Multi-account setup with AWS Organizations I’ll be strictly focusing on the permissions. In my opinion, the official AWS Documentation covers the process of building container images for Lambdas really well, but it is somewhat scarce on the necessary permissions. Regardless, here’s a link to the official documentation on the permissions aspect. ...