Merge pull request #600 from somtochiama/aws-cross-region

Use registry region to get token for AWS

oci/auth/aws/auth.go

@@ -27,7 +27,6 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
-	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/google/go-containerregistry/pkg/authn"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -79,7 +78,7 @@ func (c *Client) WithConfig(cfg *aws.Config) {
 // be the case if it's running in EKS, and may need additional setup
 // otherwise (visit https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/
 // as a starting point).
-func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, error) {
+func (c *Client) getLoginAuth(ctx context.Context, awsEcrRegion string) (authn.AuthConfig, error) {
 	// No caching of tokens is attempted; the quota for getting an
 	// auth token is high enough that getting a token every time you
 	// scan an image is viable for O(500) images per region. See
@@ -92,20 +91,11 @@ func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, error) {
 		cfg = c.config.Copy()
 	} else {
 		var err error
-		cfg, err = config.LoadDefaultConfig(ctx)
+		cfg, err = config.LoadDefaultConfig(ctx, config.WithRegion(awsEcrRegion))
 		if err != nil {
 			c.mu.Unlock()
 			return authConfig, fmt.Errorf("failed to load default configuration: %w", err)
 		}
-		// Query the current region from IMDS if it's not set yet.
-		if cfg.Region == "" {
-			client := imds.NewFromConfig(cfg)
-			resp, err := client.GetRegion(ctx, &imds.GetRegionInput{})
-			if err != nil {
-				return authConfig, err
-			}
-			cfg.Region = resp.Region
-		}
 		c.config = &cfg
 	}
 	c.mu.Unlock()
@@ -146,7 +136,12 @@ func (c *Client) getLoginAuth(ctx context.Context) (authn.AuthConfig, error) {
 func (c *Client) Login(ctx context.Context, autoLogin bool, image string) (authn.Authenticator, error) {
 	if autoLogin {
 		ctrl.LoggerFrom(ctx).Info("logging in to AWS ECR for " + image)
-		authConfig, err := c.getLoginAuth(ctx)
+		_, awsEcrRegion, ok := ParseRegistry(image)
+		if !ok {
+			return nil, errors.New("failed to parse AWS ECR image, invalid ECR image")
+		}
+
+		authConfig, err := c.getLoginAuth(ctx, awsEcrRegion)
 		if err != nil {
 			return nil, err
 		}
@@ -158,8 +153,13 @@ func (c *Client) Login(ctx context.Context, autoLogin bool, image string) (authn
 }
 
 // OIDCLogin attempts to get the authentication material for ECR.
-func (c *Client) OIDCLogin(ctx context.Context) (authn.Authenticator, error) {
-	authConfig, err := c.getLoginAuth(ctx)
+func (c *Client) OIDCLogin(ctx context.Context, registryURL string) (authn.Authenticator, error) {
+	_, awsEcrRegion, ok := ParseRegistry(registryURL)
+	if !ok {
+		return nil, errors.New("failed to parse AWS ECR image, invalid ECR image")
+	}
+
+	authConfig, err := c.getLoginAuth(ctx, awsEcrRegion)
 	if err != nil {
 		return nil, err
 	}

oci/auth/aws/auth_test.go

@@ -157,11 +157,10 @@ func TestGetLoginAuth(t *testing.T) {
 			})
 			// set the region in the config since we are not using the `LoadDefaultConfig` function that sets the region
 			// by querying the instance metadata service(IMDS)
-			cfg.Region = "us-east-1"
 			cfg.Credentials = credentials.NewStaticCredentialsProvider("x", "y", "z")
 			ec.WithConfig(cfg)
 
-			a, err := ec.getLoginAuth(context.TODO())
+			a, err := ec.getLoginAuth(context.TODO(), "us-east-1")
 			g.Expect(err != nil).To(Equal(tt.wantErr))
 			if tt.statusCode == http.StatusOK {
 				g.Expect(a).To(Equal(tt.wantAuthConfig))
@@ -229,7 +228,7 @@ func TestLogin(t *testing.T) {
 			g.Expect(err != nil).To(Equal(tt.wantErr))
 
 			if tt.testOIDC {
-				_, err = ecrClient.OIDCLogin(context.TODO())
+				_, err = ecrClient.OIDCLogin(context.TODO(), tt.image)
 				g.Expect(err != nil).To(Equal(tt.wantErr))
 			}
 		})

oci/auth/login/login.go

@@ -141,7 +141,7 @@ func (m *Manager) OIDCLogin(ctx context.Context, registryURL string, opts Provid
 			return nil, fmt.Errorf("ECR authentication failed: %w", oci.ErrUnconfiguredProvider)
 		}
 		ctrl.LoggerFrom(ctx).Info("logging in to AWS ECR for " + u.Host)
-		return m.ecr.OIDCLogin(ctx)
+		return m.ecr.OIDCLogin(ctx, u.Host)
 	case oci.ProviderGCP:
 		if !opts.GcpAutoLogin {
 			return nil, fmt.Errorf("GCR authentication failed: %w", oci.ErrUnconfiguredProvider)

oci/go.mod

@@ -15,7 +15,6 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.18.1
 	github.com/aws/aws-sdk-go-v2/config v1.18.27
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.26
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.13
 	github.com/distribution/distribution/v3 v3.0.0-20230621170613-87b280718d38
 	github.com/fluxcd/pkg/sourceignore v0.3.4
@@ -33,6 +32,7 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.34 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.28 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.35 // indirect