diff --git a/oci/auth/aws/auth.go b/oci/auth/aws/auth.go index 6b221cc52..fbaa208eb 100644 --- a/oci/auth/aws/auth.go +++ b/oci/auth/aws/auth.go @@ -27,7 +27,6 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/config" - "github.com/aws/aws-sdk-go-v2/feature/ec2/imds" "github.com/aws/aws-sdk-go-v2/service/ecr" "github.com/google/go-containerregistry/pkg/authn" ctrl "sigs.k8s.io/controller-runtime" @@ -79,7 +78,7 @@ func (c *Client) WithConfig(cfg *aws.Config) { // be the case if it's running in EKS, and may need additional setup // otherwise (visit https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/ // as a starting point). -func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, error) { +func (c *Client) getLoginAuth(ctx context.Context, awsEcrRegion string) (authn.AuthConfig, error) { // No caching of tokens is attempted; the quota for getting an // auth token is high enough that getting a token every time you // scan an image is viable for O(500) images per region. See @@ -92,20 +91,11 @@ func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, error) { cfg = c.config.Copy() } else { var err error - cfg, err = config.LoadDefaultConfig(ctx) + cfg, err = config.LoadDefaultConfig(ctx, config.WithRegion(awsEcrRegion)) if err != nil { c.mu.Unlock() return authConfig, fmt.Errorf("failed to load default configuration: %w", err) } - // Query the current region from IMDS if it's not set yet. - if cfg.Region == "" { - client := imds.NewFromConfig(cfg) - resp, err := client.GetRegion(ctx, &imds.GetRegionInput{}) - if err != nil { - return authConfig, err - } - cfg.Region = resp.Region - } c.config = &cfg } c.mu.Unlock() @@ -146,7 +136,12 @@ func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, error) { func (c *Client) Login(ctx context.Context, autoLogin bool, image string) (authn.Authenticator, error) { if autoLogin { ctrl.LoggerFrom(ctx).Info("logging in to AWS ECR for " + image) - authConfig, err := c.getLoginAuth(ctx) + _, awsEcrRegion, ok := ParseRegistry(image) + if !ok { + return nil, errors.New("failed to parse AWS ECR image, invalid ECR image") + } + + authConfig, err := c.getLoginAuth(ctx, awsEcrRegion) if err != nil { return nil, err } @@ -158,8 +153,13 @@ func (c *Client) Login(ctx context.Context, autoLogin bool, image string) (authn } // OIDCLogin attempts to get the authentication material for ECR. -func (c *Client) OIDCLogin(ctx context.Context) (authn.Authenticator, error) { - authConfig, err := c.getLoginAuth(ctx) +func (c *Client) OIDCLogin(ctx context.Context, registryURL string) (authn.Authenticator, error) { + _, awsEcrRegion, ok := ParseRegistry(registryURL) + if !ok { + return nil, errors.New("failed to parse AWS ECR image, invalid ECR image") + } + + authConfig, err := c.getLoginAuth(ctx, awsEcrRegion) if err != nil { return nil, err } diff --git a/oci/auth/aws/auth_test.go b/oci/auth/aws/auth_test.go index b78019d30..49bd416d0 100644 --- a/oci/auth/aws/auth_test.go +++ b/oci/auth/aws/auth_test.go @@ -157,11 +157,10 @@ func TestGetLoginAuth(t *testing.T) { }) // set the region in the config since we are not using the `LoadDefaultConfig` function that sets the region // by querying the instance metadata service(IMDS) - cfg.Region = "us-east-1" cfg.Credentials = credentials.NewStaticCredentialsProvider("x", "y", "z") ec.WithConfig(cfg) - a, err := ec.getLoginAuth(context.TODO()) + a, err := ec.getLoginAuth(context.TODO(), "us-east-1") g.Expect(err != nil).To(Equal(tt.wantErr)) if tt.statusCode == http.StatusOK { g.Expect(a).To(Equal(tt.wantAuthConfig)) @@ -229,7 +228,7 @@ func TestLogin(t *testing.T) { g.Expect(err != nil).To(Equal(tt.wantErr)) if tt.testOIDC { - _, err = ecrClient.OIDCLogin(context.TODO()) + _, err = ecrClient.OIDCLogin(context.TODO(), tt.image) g.Expect(err != nil).To(Equal(tt.wantErr)) } }) diff --git a/oci/auth/login/login.go b/oci/auth/login/login.go index cc5db7b5f..a93aa7e27 100644 --- a/oci/auth/login/login.go +++ b/oci/auth/login/login.go @@ -141,7 +141,7 @@ func (m *Manager) OIDCLogin(ctx context.Context, registryURL string, opts Provid return nil, fmt.Errorf("ECR authentication failed: %w", oci.ErrUnconfiguredProvider) } ctrl.LoggerFrom(ctx).Info("logging in to AWS ECR for " + u.Host) - return m.ecr.OIDCLogin(ctx) + return m.ecr.OIDCLogin(ctx, u.Host) case oci.ProviderGCP: if !opts.GcpAutoLogin { return nil, fmt.Errorf("GCR authentication failed: %w", oci.ErrUnconfiguredProvider) diff --git a/oci/go.mod b/oci/go.mod index d22b5343c..6abdd03c3 100644 --- a/oci/go.mod +++ b/oci/go.mod @@ -15,7 +15,6 @@ require ( github.com/aws/aws-sdk-go-v2 v1.18.1 github.com/aws/aws-sdk-go-v2/config v1.18.27 github.com/aws/aws-sdk-go-v2/credentials v1.13.26 - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 github.com/aws/aws-sdk-go-v2/service/ecr v1.18.13 github.com/distribution/distribution/v3 v3.0.0-20230621170613-87b280718d38 github.com/fluxcd/pkg/sourceignore v0.3.4 @@ -33,6 +32,7 @@ require ( github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect github.com/acomagu/bufpipe v1.0.4 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 // indirect