Skip to content

Commit

Permalink
README.md: Update docs on building for AWS ECR
Browse files Browse the repository at this point in the history 
- Kaniko v.1.8.0 does not require additional cred helper logic for ECR,
as it discovers ECR repositories automatically and acts accordingly.
Thus removed from the documentation.
- Add details on using IAM role based authentication for pushing to ECR.

Fixes: GoogleContainerTools#780
Fixes: GoogleContainerTools#1455

Signed-off-by: Jasper Orschulko <[email protected]>
  • Loading branch information
@Jasper-Ben
Jasper-Ben committed Mar 28, 2022
1 parent 7b16110 commit 9ad5910
Showing 1 changed file with 2 additions and 15 deletions.
17 changes: 2 additions & 15 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -494,23 +494,10 @@ Please ensure, kaniko pod is running in the namespace and with a Kubernetes Serv
#### Pushing to Amazon ECR

The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built into the kaniko executor image.
To configure credentials, you will need to do the following:

1. Update the `credsStore` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration):

```json
{ "credsStore": "ecr-login" }
```

You can mount in the new config as a configMap:

```shell
kubectl create configmap docker-config --from-file=<path to config.json>
```

2. Configure credentials
1. Configure credentials

1. You can use instance roles when pushing to ECR from a EC2 instance or from EKS, by [configuring the instance role permissions](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html).
1. You can use instance roles when pushing to ECR from a EC2 instance or from EKS, by [configuring the instance role permissions](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html). The AWS managed policy `EC2InstanceProfileForImageBuilderECRContainerBuilds` provides (broad) permissions to upload ECR images and may be used as configuration baseline. Additionally, set `AWS_SDK_LOAD_CONFIG=true` as environment variable within the kaniko pod. If running on an EC2 instance with an instance profile, you may also need to set `AWS_EC2_METADATA_DISABLED=true` for kaniko to pick up the correct credentials.

2. Or you can create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
To create the secret, run:
Expand Down

0 comments on commit 9ad5910

Please sign in to comment.