AWS temporary tokens are valid for 12 hours.The token validity period in the AWS ECR environment cannot be adjusted, and tokens without an expiration date are not issued (this is beyond our control). Thus to solve this problem, we can use the following method:
If you are using an EKS environment, use IRSA ( IAM Role for Service Account) to process.
You can think of it as a way to receive separate authentication from the your K8s environment to Thinkfree's K8s environment.
However , processing is only possible if you are using EKS.
Create a CronJob and process it
This method creates a K8s CronJob to periodically refresh the token.
It can operate regardless of the your environment.
Converting our ECR environment to a public environment
Areas requiring policy review
Here, we'll guide you through creating a CronJob to handle this process. This method renews your AWS token every 11 hours.
(1) Enter your AWS credentials.
kubectl -n <NAMESPACE> create secret generic aws-credentials \ --from-literal=AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> \ --from-literal=AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY> \ --from-literal=AWS_REGION=<AWS_REGION>
NAMESPACE: Enter the namespace.
AWS_ACCESS_KEY_ID: Enter the access key you received.
AWS_SECRET_ACCESS_KEY: Enter the Secret key you received.
AWS_REGION: Enter the received Region.
(2) Download the attached file and modify the following parts.
. . . spec: schedule: "0 */11 * * *" # Performed every 11 hours. Modified as needed. . . . echo "kubectl version:" kubectl version --client AWS_ACCOUNT_ID="" # Enter the Account ID you received. . . . TARGET_SECRET="thinkfree-registry-secret" NAMESPACE="" # Enter the namespace. USERNAME="AWS" . . .
(3) Apply CronJob.
kubectl -n <NAMESPACE> apply -f docker-registry-token-refresh-cronjob.yaml
NAMESPACE: Enter the namespace.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article