'How to pull a docker image from AWS ECR to Minikube Kubernetes cluster with MFA enabled

I have a docker image in AWS ECR which is in my secondary account. I want to pull that image to the Minikube Kubernetes cluster using AWS IAM Role ARN where MFA is enabled on it. Due to this, my deployment failed while pulling the Image.

I enabled the registry-creds addon to access ECR Image but didn't work out.

May I know any other way to access AWS ECR of AWS Account B via AWS IAM Role ARN with MFA enabled using the credential of the AWS Account A?

For example, I provided details like this

  • Enter AWS Access Key ID: Access key of Account A
  • Enter AWS Secret Access Key: Secret key of Account A
  • (Optional) Enter AWS Session Token:
  • Enter AWS Region: us-west-2
  • Enter 12 digit AWS Account ID (Comma separated list): [AccountA, AccountB]
  • (Optional) Enter ARN of AWS role to assume: <role_arn of AccountB>

ERROR MESSAGE: Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials

Warning Failed 2s (x3 over 42s) kubelet Error: ErrImagePull

dockerkubernetesminikubeamazon-ecr


Solution 1:[1]

Minikube doesn't have a way to provide the MFA token. You need to create temporary credentials somehow and provide those credentials to minikube addons configure registry-creds.

My day job uses aws-vault and so my typical sequence for setting this up involves running

aws-vault exec some-profile -- env | grep AWS
minikube addons configure registry-creds

and then copying the temporary access key (starts with ASIA...), secret, and session token into the Minikube configuration. I do not enter a role ARN in the final prompt; the temporary credentials are already associated with the right AWS role.

The same restrictions and workaround would apply if you were using the Kubernetes-level imagePullSecrets.

Solution 2:[2]

While the minikube addons based solution shown by @DavidMaze is probably cleaner and generally preferable, I wasn't able to get it to work.

Instead, I found out it is possible to give the service account of the pod a copy of the docker login tokens in the local home. If you haven't set a serviceaccount, it's default:

# Log in with aws ecr get-login or however
kubectl create secret generic regcred \
  --from-file=.dockerconfigjson=$HOME/.docker/config.json \
  --type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'

This will work fine in a bind.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 David Maze
Solution 2

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function