IAM Role Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}IAM Permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRFullAccess",
"Effect": "Allow",
"Action": [
"ecr:*"
],
"Resource": [
"arn:aws:ecr:ap-southeast-2:xxxxxxxxx:repository/my-image"
]
},
{
"Sid": "GetAuthorizationToken",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}$ mkdir -p /opt/cron
$ cat <<EOF > /opt/cron/k3s-ecr-credentails-auto-renewal.sh
#!/bin/bash
set -euxo pipefail
ecr=xxxxxxxxx.dkr.ecr.ap-southeast-2.amazonaws.com
ecrPassword=\$(aws ecr get-login-password --region ap-southeast-2)
kubectl create secret docker-registry ecr \
--docker-username=AWS \
--docker-password=\$ecrPassword \
--docker-email=dev.sareno@gmail.com \
--docker-server=\$ecr \
--dry-run=client \
-n default \
-o yaml | kubectl apply -f -
echo "ECR login credentials have been renewed successfully!"
EOF
$ chmod +x /opt/cron/k3s-ecr-credentails-auto-renewal.sh
$ crontab -l > ecr
$ echo "# Renew ECR login credentials every 6 hours" >> ecr
$ echo "0 */6 * * * /opt/cron/k3s-ecr-credentails-auto-renewal.sh" >> ecr
$ crontab ecr
$ rm ecr