From c15010840666a2ed5d7fc99883998cd2d088a5f8 Mon Sep 17 00:00:00 2001 From: Peter Goodman Date: Wed, 28 Mar 2018 23:40:06 +1300 Subject: [PATCH 1/6] Add support for logging into ECR for authentication --- docker/dockerdist/dockerdist.go | 86 ++++++++++++++++++++++++++++++++- glide.yaml | 8 +++ 2 files changed, 93 insertions(+), 1 deletion(-) diff --git a/docker/dockerdist/dockerdist.go b/docker/dockerdist/dockerdist.go index da1c52c..1044e32 100644 --- a/docker/dockerdist/dockerdist.go +++ b/docker/dockerdist/dockerdist.go @@ -17,12 +17,20 @@ package dockerdist import ( + "encoding/base64" "errors" + "fmt" "net/url" + "os" "reflect" + "regexp" "strings" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/ec2metadata" + "github.com/aws/aws-sdk-go/aws/session" + "github.com/aws/aws-sdk-go/service/ecr" "github.com/coreos/pkg/capnslog" distlib "github.com/docker/distribution" "github.com/docker/distribution/manifest/schema1" @@ -36,14 +44,16 @@ import ( "github.com/docker/docker/reference" "github.com/docker/docker/registry" "github.com/opencontainers/go-digest" - "golang.org/x/net/context" "github.com/spf13/viper" + "golang.org/x/net/context" ) var log = capnslog.NewPackageLogger("github.com/jgsqware/clairctl", "dockerdist") var ErrTagNotFound = errors.New("this image or tag is not found") +var ecrRegex, _ = regexp.Compile(`((?P[a-zA-Z0-9][a-zA-Z0-9_-]*)\.dkr\.ecr\.(?P[a-zA-Z0-9][a-zA-Z0-9_-]*)\.amazonaws\.com(\.cn)?)(/(?P[a-zA-Z0-9_-]+))?(:(?P[a-zA-Z0-9_\-/]+))?`) + func isInsecureRegistry(registryHostname string) bool { for _, r := range viper.GetStringSlice("docker.insecure-registries") { if r == registryHostname { @@ -181,9 +191,83 @@ func getDigest(ctx context.Context, repo distlib.Repository, image reference.Nam return descriptor.Digest, nil } +func getEcrCredentials(image string) (types.AuthConfig, error) { + + names := ecrRegex.SubexpNames() + captures := ecrRegex.FindAllStringSubmatch(image, -1)[0] + namedCaptures := map[string]string{} + + for i, n := range captures { + namedCaptures[names[i]] = n + } + + log.Debugf("The ECR registry id is %s\n", namedCaptures["registryId"]) + + // configure aws client + sess := session.New() + region, err := getRegion(sess) + if err != nil { + return types.AuthConfig{}, fmt.Errorf("Error fetching AWS region: %s\n", err.Error()) + } + svc := ecr.New(sess, aws.NewConfig().WithMaxRetries(10).WithRegion(region)) + registryId := namedCaptures["registryId"] + + // this lets us handle multiple registries + params := &ecr.GetAuthorizationTokenInput{ + RegistryIds: []*string{®istryId}, + } + + // request the token + resp, err := svc.GetAuthorizationToken(params) + if err != nil { + return types.AuthConfig{}, fmt.Errorf("Error authorizing: %s\n", err.Error()) + } + + // extract base64 token + data, err := base64.StdEncoding.DecodeString(*resp.AuthorizationData[0].AuthorizationToken) + if err != nil { + return types.AuthConfig{}, fmt.Errorf("Error decoding autorization token: %s\n", err.Error()) + } + + // extract username and password + token := strings.SplitN(string(data), ":", 2) + + authConfig := types.AuthConfig{ + Username: token[0], + Password: token[1], + ServerAddress: captures[1], + } + + log.Debugf("Successfully logged into ECR") + log.Debugf("- Username: %s", authConfig.Username) + log.Debugf("- ServerAddress: %s", authConfig.ServerAddress) + + return authConfig, nil +} + +// if AWS_REGION not set, infer from instance metadata +func getRegion(sess *session.Session) (string, error) { + region, exists := os.LookupEnv("AWS_REGION") + if !exists { + ec2region, err := ec2metadata.New(sess).Region() + if err != nil { + return "", fmt.Errorf("AWS_REGION not set and unable to fetch region from instance metadata: %s\n", err.Error()) + } + region = ec2region + } + return region, nil +} + // GetAuthCredentials returns the auth credentials (if any found) for the given repository, as found // in the user's docker config. func GetAuthCredentials(image string) (types.AuthConfig, error) { + // Check if this is an ECR image + ecrMatch := ecrRegex.MatchString(image) + + if ecrMatch { + return getEcrCredentials(image) + } + // Lookup the index information for the name. indexInfo, err := registry.ParseSearchIndexInfo(image) if err != nil { diff --git a/glide.yaml b/glide.yaml index 10071ff..627b5f8 100644 --- a/glide.yaml +++ b/glide.yaml @@ -48,3 +48,11 @@ import: version: v2.0.0 - package: github.com/fatih/color version: ^1.5.0 +- package: github.com/aws/aws-sdk-go + version: ^1.13.22 + subpackages: + - aws + - aws/credentials + - aws/session + - service/ecr + - service/ecr/ecriface From 7b5b8370c2983389ae550c4924ad432f37c1677e Mon Sep 17 00:00:00 2001 From: Murray Carr Date: Wed, 8 Aug 2018 12:57:29 +0100 Subject: [PATCH 2/6] Document process to allow use of ECR repo from Document how to build locally. LocalDockerFile for building via the local source. Bump VERSION to 1.2.9 --- .gitignore | 5 +++ LocalDockerfile | 58 +++++++++++++++++++++++++++++++++ README.md | 53 ++++++++++++++++++++++++++++++ VERSION | 2 +- docker/dockerdist/dockerdist.go | 2 +- glide.lock | 46 +++++++++++++++++++++++--- glide.yaml | 1 + local-docker.sh | 18 ++++++++++ 8 files changed, 179 insertions(+), 6 deletions(-) create mode 100644 LocalDockerfile create mode 100755 local-docker.sh diff --git a/.gitignore b/.gitignore index 41ef347..0d17fc9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,8 @@ clairctl clairctl.yml reports/ +clairctl.zip +vendor/ +.idea/ +*.iml +.DS_Store \ No newline at end of file diff --git a/LocalDockerfile b/LocalDockerfile new file mode 100644 index 0000000..ecfd782 --- /dev/null +++ b/LocalDockerfile @@ -0,0 +1,58 @@ +FROM alpine:3.5 + +# Purpose: LocalDockerfile - allows building the clairctl from the local source files if you have cloned the project. +# Dockerfile - downloads the source from github.com as a tar file and builds the clairctl via that source. + +ENV GOPATH=/go +ENV PATH=${GOPATH}/bin:${PATH} +ENV DOCKER_API_VERSION=1.24 +ARG DOCKER_VERSION=${DOCKER_VERSION:-latest} +ARG CLAIRCTL_VERSION=${CLAIRCTL_VERSION:-master} +ARG CLAIRCTL_COMMIT= + +RUN mkdir -p ${GOPATH}/src/github.com/jgsqware/clairctl/ + +COPY clairctl.zip ${GOPATH}/src/github.com/jgsqware/clairctl/clairctl.zip + +RUN unzip ${GOPATH}/src/github.com/jgsqware/clairctl/clairctl.zip -d ${GOPATH}/src/github.com/jgsqware/clairctl/ \ + && rm ${GOPATH}/src/github.com/jgsqware/clairctl/clairctl.zip + +RUN apk add --update curl \ + && apk add --virtual build-dependencies go gcc build-base glide git \ + && adduser clairctl -D \ + && mkdir -p /reports \ + && chown -R clairctl:clairctl /reports /tmp \ + && curl https://get.docker.com/builds/Linux/x86_64/docker-${DOCKER_VERSION}.tgz -o docker.tgz \ + && tar xfvz docker.tgz --strip 1 -C /usr/bin/ docker/docker \ + && rm -f docker.tgz \ + && go get -u github.com/jteeuwen/go-bindata/... \ + && cd ${GOPATH}/src/github.com/jgsqware/clairctl \ + && glide install -v \ + && go generate ./clair \ + && go build -o /usr/local/bin/clairctl -ldflags "-X github.com/jgsqware/clairctl/cmd.version=${CLAIRCTL_VERSION}-${CLAIRCTL_COMMIT}" \ + && apk del build-dependencies \ + && rm -rf /var/cache/apk/* \ + && rm -rf /root/.glide/ \ + && rm -rf /go \ + && echo $'clair:\n\ + port: 6060\n\ + healthPort: 6061\n\ + uri: http://clair\n\ + priority: Low\n\ + report:\n\ + path: /reports\n\ + format: html\n\ +clairctl:\n\ + port: 44480\n\ + tempfolder: /tmp'\ + > /home/clairctl/clairctl.yml + +USER clairctl + +WORKDIR /home/clairctl/ + +EXPOSE 44480 + +VOLUME ["/tmp/", "/reports/"] + +CMD ["/usr/sbin/crond", "-f"] \ No newline at end of file diff --git a/README.md b/README.md index c39a252..3a2ee5f 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,59 @@ go build This will result in a `clairctl` executable in the `$GOPATH/src/github.com/jgsqware/clairctl` folder. +# Build the Docker Container Locally + +`./local-docker.sh OPTIONAL_TAG_NAME` + +E.G.: + +Build a tagged version + +`./local-docker.sh jgsqware/clairctl:1.2.9` + +or + +Build an untagged version for local development. + +`./local-docker.sh` + +# Use with ECR + +## Change to your ~/.aws/credentials + +If you are using an ECR to hold your Docker containers then you will have to add the `registry id` to your `~/.aws/credentials` + +E.G.: + +``` + docker-compose exec clairctl clairctl report 111111111111.dkr.ecr.amazon-zone.amazonaws.com/your-company-or-grouping/your-container:docker_version +``` + +or + +``` + ./clairctl report 111111111111.dkr.ecr.amazon-zone.amazonaws.com/your-company-or-grouping/your-container:docker_version +``` + +your `~/.aws/credentials` will have to have a section for each ECR `registry id` that you use. + +For the above example the `registry id ` is `111111111111` + +Copy the `~/.aws/credentials` for `[default]` settings to create settings for `[111111111111]` + +```bash +[deafult] + +aws_access_key_id = YOUR_ACCESS_KEY_ID +aws_secret_access_key = YOUR_SECRET_ACCESS_KEY + +[111111111111] + +aws_access_key_id = YOUR_ACCESS_KEY_ID +aws_secret_access_key = YOUR_SECRET_ACCESS_KEY + +``` + # FAQ ## I get 400 errors ! diff --git a/VERSION b/VERSION index 5975b14..434dcac 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.2.8 \ No newline at end of file +1.2.9 \ No newline at end of file diff --git a/docker/dockerdist/dockerdist.go b/docker/dockerdist/dockerdist.go index 1044e32..153a5f2 100644 --- a/docker/dockerdist/dockerdist.go +++ b/docker/dockerdist/dockerdist.go @@ -52,7 +52,7 @@ var log = capnslog.NewPackageLogger("github.com/jgsqware/clairctl", "dockerdist" var ErrTagNotFound = errors.New("this image or tag is not found") -var ecrRegex, _ = regexp.Compile(`((?P[a-zA-Z0-9][a-zA-Z0-9_-]*)\.dkr\.ecr\.(?P[a-zA-Z0-9][a-zA-Z0-9_-]*)\.amazonaws\.com(\.cn)?)(/(?P[a-zA-Z0-9_-]+))?(:(?P[a-zA-Z0-9_\-/]+))?`) +var ecrRegex, _ = regexp.Compile(`((?P[a-zA-Z0-9][a-zA-Z0-9_-]*)\.dkr\.ecr\.(?P[a-zA-Z0-9][a-zA-Z0-9_-]*)\.amazonaws\.com(\.cn)?)(/(?P[a-zA-Z0-9/_-]+))?(:(?P[a-zA-Z0-9_\-/]+))?`) func isInsecureRegistry(registryHostname string) bool { for _, r := range viper.GetStringSlice("docker.insecure-registries") { diff --git a/glide.lock b/glide.lock index b36b084..3b89260 100644 --- a/glide.lock +++ b/glide.lock @@ -1,5 +1,5 @@ -hash: 93844a64dc51db6338d9ea0215e614e4f7ef8e2ca845534c6e81064696ed2b42 -updated: 2017-06-27T17:57:43.60340145+02:00 +hash: d3cfc2378824ba0a29ec993c53ea5f06182f2429a0af768322452c1a31b394ea +updated: 2018-08-06T18:21:35.982413+01:00 imports: - name: cloud.google.com/go version: 3b1ae45394a234c385be014e9a488f2bb6eef821 @@ -8,6 +8,40 @@ imports: - internal - name: github.com/artyom/untar version: 02ed5a2449a661eb02b1e3d658524223ab726412 +- name: github.com/aws/aws-sdk-go + version: f70339bb6af843c8ab1974381b3f4fcaee2b1a41 + subpackages: + - aws + - aws/awserr + - aws/awsutil + - aws/client + - aws/client/metadata + - aws/corehandlers + - aws/credentials + - aws/credentials/ec2rolecreds + - aws/credentials/endpointcreds + - aws/credentials/stscreds + - aws/csm + - aws/defaults + - aws/ec2metadata + - aws/endpoints + - aws/request + - aws/session + - aws/signer/v4 + - internal/sdkio + - internal/sdkrand + - internal/sdkuri + - internal/shareddefaults + - private/protocol + - private/protocol/json/jsonutil + - private/protocol/jsonrpc + - private/protocol/query + - private/protocol/query/queryutil + - private/protocol/rest + - private/protocol/xml/xmlutil + - service/ecr + - service/ecr/ecriface + - service/sts - name: github.com/Azure/go-ansiterm version: fa152c58bc15761d0200cb75fe958b89a9d4888e subpackages: @@ -141,7 +175,7 @@ imports: - sockets - tlsconfig - name: github.com/docker/go-units - version: f2d77a61e3c169b43402a0a1e84f06daf29b8190 + version: 47565b4f722fb6ceae66b95f853feed578a4a51c - name: github.com/docker/libtrust version: fa567046d9b14f6aa788882a950d69651d230b21 - name: github.com/emicklei/go-restful @@ -150,13 +184,15 @@ imports: - log - swagger - name: github.com/fatih/color - version: 570b54cabe6b8eb0bc2dfce68d964677d63b5260 + version: 5b77d2a35fb0ede96d138fc9a99f5c9b6aef11b4 - name: github.com/fernet/fernet-go version: 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2 - name: github.com/fsnotify/fsnotify version: bd2828f9f176e52d7222e565abb2d338d3f3c103 - name: github.com/ghodss/yaml version: 73d445a93680fa1a78ae23a5839bad48f32ba1ee +- name: github.com/go-ini/ini + version: d58d458bec3cb5adec4b7ddb41131855eac0b33f - name: github.com/go-openapi/jsonpointer version: 46af16f9f7b149af66e5d1bd010e3574dc06de98 - name: github.com/go-openapi/jsonreference @@ -197,6 +233,8 @@ imports: version: 76626ae9c91c4f2a10f34cad8ce83ea42c93bb75 - name: github.com/jgsqware/xnet version: 13630f0737d214dba8344df649039c19551553d8 +- name: github.com/jmespath/go-jmespath + version: c2b33e8439af944379acbdd9c3a5fe0bc44bd8a5 - name: github.com/jonboulle/clockwork version: 72f9bd7c4e0c2a40055ab3d0f09654f730cce982 - name: github.com/juju/ratelimit diff --git a/glide.yaml b/glide.yaml index 627b5f8..87cf5a3 100644 --- a/glide.yaml +++ b/glide.yaml @@ -56,3 +56,4 @@ import: - aws/session - service/ecr - service/ecr/ecriface + - aws/ec2metadata diff --git a/local-docker.sh b/local-docker.sh new file mode 100755 index 0000000..518564e --- /dev/null +++ b/local-docker.sh @@ -0,0 +1,18 @@ +#!/usr/bin/env sh + +# Purpose: This script allows building the clairctl from the local source files. Not downloading the source from github as a tar as done in Dockerfile + + +TAG_VERSION=$1 + +if test -n "$TAG_VERSION"; then + TAG_VERSION="-t ${TAG_VERSION}"; +fi + +# Zip up all of the Go source files that are needed for the Dockerfile +# This clairctl.zip will be used inside the Dockerfile to create the binary of clairctl + +rm clairctl.zip +zip -r clairctl.zip cmd clair config contrib docker docker-compose-data hooks server xstrings DockerFile glide* main.go VERSION LICENSE -x *.idea* -x vendor -x clairctl.zip -x clairctl -x docker.tgz + +docker build . -f LocalDockerfile ${TAG_VERSION} \ No newline at end of file From 97580587152956be1c9c51b53fad02e21b0ecf3f Mon Sep 17 00:00:00 2001 From: Murray Carr Date: Thu, 9 Aug 2018 22:32:05 +0100 Subject: [PATCH 3/6] Update documentation to include the information about how to setup your AWS ECR information in the docker-compose.yml file. --- README.md | 153 ++++++++++++++++++++++++++++++++++----------- docker-compose.yml | 7 ++- 2 files changed, 122 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 3a2ee5f..cfa06d5 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,110 @@ images: CVE-2016-7068: Something ``` + +# ECR and clairctl + +## Setup your environment + +your `~/.aws/credentials` will have to have a section for each ECR `registry id` that you use. + +For the below example the `registry id ` is `111111111111` + +Copy the `~/.aws/credentials` for `[default]` settings to create settings for `[111111111111]` + +E.G.: + +```bash + +[deafult] + +aws_access_key_id = YOUR_ACCESS_KEY_ID +aws_secret_access_key = YOUR_SECRET_ACCESS_KEY + +[111111111111] + +aws_access_key_id = YOUR_ACCESS_KEY_ID +aws_secret_access_key = YOUR_SECRET_ACCESS_KEY + +``` + +## Running Clairctl + +### Docker-Compose + +You can use the `docker-compose.yml` file that you can use to help start the 3 containers needed up. + +#### AWS configuration + +##### Set AWS_REGION from environmental variable + + + +replace `amazon-zone` with the zone for your ECR + +`export AWS_REGION=amazon-zone # e.g.: us-east-1 or eu-west-2` + +##### Set AWS_REGION in docker-compose.yml + +Uncomment the following entry in the `clairctl:` `environment:` of and add the value of your ECR region. + +`# - AWS_REGION= # put your region E.G.: us-east-1, eu-west-2 ` + +E.G: + +` - AWS_REGION=us-east-1 # put your region E.G.: us-east-1, eu-west-2 ` + +##### Pass AWS Secrets to docker container + +You will have to choose one of 3 options on passing the AWS secrets to the docker container. + +Uncomment the one type you chose. + +1. Use `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` from environmental variables. + 1. export AWS_ACCESS_KEY_ID= + 1. export AWS_SECRET_ACCESS_KEY= + +1. Use `AWS_SESSION_TOKEN` from an environmental variable + 1. export AWS_SESSION_TOKEN= + +1. Use the mounting of the `.aws` directory from your home directory. + + +#### Run Docker-compose + +Start the 3 container + +` docker-compose up -d` + +#### Run commands against the clairctl docker instance. + +``` + docker-compose exec clairctl clairctl COMMAND AWS_ECR_URL/your-company-or-grouping/your-container:docker_version +``` + +E.G.: + +``` + docker-compose exec clairctl clairctl pull 111111111111.dkr.ecr.amazon-zone.amazonaws.com/your-company-or-grouping/your-container:docker_version +``` + +### Command line + +#### Set AWS_REGION for go command line + + + +replace `amazon-zone` with the zone for your ECR + +`export AWS_REGION=amazon-zone # e.g.: us-east-1 or eu-west-2` + +#### Run the clarictl command + +``` + ./clairctl pull 111111111111.dkr.ecr.amazon-zone.amazonaws.com/your-company-or-grouping/your-container:docker_version +``` + + # Building the latest binaries **clairctl** requires Go 1.8+. @@ -140,7 +244,17 @@ go build This will result in a `clairctl` executable in the `$GOPATH/src/github.com/jgsqware/clairctl` folder. -# Build the Docker Container Locally +# Build the Docker Container from Source Locally + +If you are making modifications to the source code and want to test it locally there is another docker file `LocalDockerfile` + +The project `Dockerfile` downloads a zip file of the source from the project from github. + +`https://github.com/jgsqware/clairctl/archive/master.zip` + +You will never see your local changes persisted into the container if you use `docker build .` + +There is a script to help building from the source. `./local-docker.sh OPTIONAL_TAG_NAME` @@ -156,42 +270,7 @@ Build an untagged version for local development. `./local-docker.sh` -# Use with ECR - -## Change to your ~/.aws/credentials - -If you are using an ECR to hold your Docker containers then you will have to add the `registry id` to your `~/.aws/credentials` - -E.G.: - -``` - docker-compose exec clairctl clairctl report 111111111111.dkr.ecr.amazon-zone.amazonaws.com/your-company-or-grouping/your-container:docker_version -``` - -or - -``` - ./clairctl report 111111111111.dkr.ecr.amazon-zone.amazonaws.com/your-company-or-grouping/your-container:docker_version -``` - -your `~/.aws/credentials` will have to have a section for each ECR `registry id` that you use. - -For the above example the `registry id ` is `111111111111` - -Copy the `~/.aws/credentials` for `[default]` settings to create settings for `[111111111111]` - -```bash -[deafult] - -aws_access_key_id = YOUR_ACCESS_KEY_ID -aws_secret_access_key = YOUR_SECRET_ACCESS_KEY - -[111111111111] - -aws_access_key_id = YOUR_ACCESS_KEY_ID -aws_secret_access_key = YOUR_SECRET_ACCESS_KEY - -``` +Make sure to change the tag for clairctl in your local docker-compose.yml if you have built a different tagged version. # FAQ diff --git a/docker-compose.yml b/docker-compose.yml index b078d90..5376b80 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,9 +27,14 @@ services: restart: unless-stopped environment: - DOCKER_API_VERSION=1.24 +# - AWS_REGION= # put your region E.G.: us-east-1, eu-west-2 +# - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} # (AWS credentials option 1.) Environmental variable for AWS_ACCESS_KEY_ID. +# - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} # (AWS credentials option 1.) Environmental variable for AWS_SECRET_ACCESS_KEY. +# - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} # (AWS credentials option 2.) session token if not using (1.) user/password or (3.) mount of .aws. Environmental variable for AWS_SESSION_TOKEN. volumes: - ./docker-compose-data/clairctl-reports/:/reports/:rw - /var/run/docker.sock:/var/run/docker.sock:ro - depends_on: +# - ${HOME}/.aws:/root/.aws/ # (AWS credentials option 3.) mount AWS credentials from ~/.aws/ in your home folder + depends_on: clair: condition: service_started \ No newline at end of file From 9f71a7cdf9a3197f648847ddbcaf780c6b112194 Mon Sep 17 00:00:00 2001 From: Murray Carr Date: Thu, 9 Aug 2018 22:42:09 +0100 Subject: [PATCH 4/6] add link to aws config setup for command line --- README.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cfa06d5..f30accd 100644 --- a/README.md +++ b/README.md @@ -120,11 +120,13 @@ images: ``` -# ECR and clairctl +# Amazon AWS ECR and clairctl -## Setup your environment +## Setup your .aws/credentials -your `~/.aws/credentials` will have to have a section for each ECR `registry id` that you use. +(Optional) If you choose to use your `~/.aws/credentials` file for configuration make the following changes. + +Your `~/.aws/credentials` you wwill have to add a section for each ECR `registry id` that you use. For the below example the `registry id ` is `111111111111` @@ -216,6 +218,10 @@ replace `amazon-zone` with the zone for your ECR `export AWS_REGION=amazon-zone # e.g.: us-east-1 or eu-west-2` +#### Setup your .aws/credentials + +[#Setup-your-.aws/credentials] + #### Run the clarictl command ``` From f7422d42268a42f30ca2f289a2e83140100ace21 Mon Sep 17 00:00:00 2001 From: Murray Carr Date: Thu, 9 Aug 2018 22:43:02 +0100 Subject: [PATCH 5/6] add link to aws config setup for command line --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f30accd..e3c4faa 100644 --- a/README.md +++ b/README.md @@ -220,7 +220,7 @@ replace `amazon-zone` with the zone for your ECR #### Setup your .aws/credentials -[#Setup-your-.aws/credentials] +<#setup-your-awscredentials> #### Run the clarictl command From 70b30357fb8dcb5b5e2db784895f05a31054dc8e Mon Sep 17 00:00:00 2001 From: Murray Carr Date: Thu, 9 Aug 2018 22:48:16 +0100 Subject: [PATCH 6/6] add link to aws config setup for command line --- README.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e3c4faa..f6c8f81 100644 --- a/README.md +++ b/README.md @@ -122,7 +122,9 @@ images: # Amazon AWS ECR and clairctl -## Setup your .aws/credentials +## Setup your environment for AWS ECR + +### via .aws/credentials (Optional) If you choose to use your `~/.aws/credentials` file for configuration make the following changes. @@ -148,6 +150,21 @@ aws_secret_access_key = YOUR_SECRET_ACCESS_KEY ``` +### Via Environmental variables + +#### Session_token and Access_key_id + +``` + export AWS_SESSION_TOKEN= + export AWS_ACCESS_KEY_ID= +``` + +#### (OR) Secret_access_Key + +``` + export AWS_SECRET_ACCESS_KEY=` +``` + ## Running Clairctl ### Docker-Compose @@ -181,11 +198,8 @@ You will have to choose one of 3 options on passing the AWS secrets to the docke Uncomment the one type you chose. 1. Use `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` from environmental variables. - 1. export AWS_ACCESS_KEY_ID= - 1. export AWS_SECRET_ACCESS_KEY= 1. Use `AWS_SESSION_TOKEN` from an environmental variable - 1. export AWS_SESSION_TOKEN= 1. Use the mounting of the `.aws` directory from your home directory. @@ -220,7 +234,7 @@ replace `amazon-zone` with the zone for your ECR #### Setup your .aws/credentials -<#setup-your-awscredentials> +[Link to setup your environment for ECR](#setup-your-environment-for-aws-ecr) #### Run the clarictl command