Setting up the Container Registry Agent for a brokered ECR integration
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
In Elastic Container Registries the brokered communication is the same as in other container registries. However, ECR has a special authentication mechanism that requires setting up an Identify and Access Management (IAM) Role or User in the Agent.
The Container Registry Agent IAM Role or IAM User is an IAM Role or IAM User is used by the Container Registry Agent to assume a role with access to ECR.
The Snyk ECR Service Role is an IAM Role with access to ECR and assumed by the Container Registry Agent IAM Role or IAM User to gain read-only access to ECR. The Snyk ECR Service Role ARN is provided to the Broker Client together with the region the ECR runs in, and is passed to the Container Registry Agent that will assume it.
If there are multiple ECRs in multiple accounts that need to communicate with the Container Registry Agent, you must set up a Broker Client for each ECR.
The following illustrates the architecture for a brokered ECR integration. Refer to the steps that follow for information about setting up the components on the diagram.
Follow these steps to set up a single Container Registry Agent instance with access to ECR repositories located in different accounts.
Run this step once only. Create the Container Registry Agent IAM Role or IAM User with permissions to assume a role. Use the IAM Role or IAM User to run the Container Registry Agent. Run the following steps for each of your ECR accounts, using a separate Broker instance for each ECR account.
In the AWS account where your ECR resides, create the Snyk ECR Service Role with read access to your ECR and restrict this role to be assumed only by the specific Container Registry Agent IAM Role or IAM User created in the previous step.
Restrict the Container Registry Agent IAM Role or IAM User to be allowed to assume only your Snyk ECR Service Role(s).
Provide the Broker Client with the Role Amazon Resource Name (ARN) of the Snyk ECR Service Role. The Broker Client passes this Role ARN to the Container Registry Agent, and the Container Registry Agent assumes it to access your ECR.
In this step, create an IAM Role or an IAM User for use by the Container Registry Agent. The IAM Role or IAM User could be provided to the Container Registry Agent via the methods described in the AWS docs.
The following examples explain how to provide the IAM Role or IAM User using one of the following methods:
Example a: Create a dedicated EC2 role and load credentials from AWS Identity and Access Management (IAM) roles to the EC2 instance running the Container Registry Agent image.
Example b: Create a dedicated user and provide its credentials through environment variables.
You can also provide a dedicated role in Amazon ECS tasks. For more information see the AWS docs.
Go to AWS to log in to the AWS Management Console with the IAM service and navigate to the Roles page.
Choose to create a role.
Select AWS service for the type of trusted entity.
Select EC2 as the use case.
Choose to go next with permission and tags.
Review and provide a role name: SnykCraEc2Role.
Create the role.
From the role's Summary page, for later use, copy the Instance Profile ARN.
Example: arn:aws:iam::aws-account:instance-profile
or SnykCraEc2Role
Also, copy the Role ARN.
Example: arn:aws:iam::aws-account:role
or SnykCraEc2Role
In the newly created role page, in the Permissions tab, create an Inline policy.
In Service choose STS.
In Actions choose Write → AssumeRole.
In Resources choose All resources (you will harden the resources in a later step).
In the JSON tab verify that the policy contains the following:
Review the policy and provide a policy name: SnykCraAssumeRolePolicy.
Choose to create the policy.
Go to the EC2 Management Console and choose the instance running the Container Registry Agent container.
Select Actions → Security → Modify IAM Role.
From the IAM role dropdown list, choose the Instance profile of the IAM role created in the first step.
Example: arn:aws:iam::aws-accoun:instance-profile
or SnykCraEc2Role
Then Save.
When you are running the Container Registry Agent image on the EC2 machine, the credentials of the attached role are automatically picked up by the running Container Registry Agent. Therefore, no extra steps are needed. For more information see the Amazon docs.
Go to AWS to log in to the AWS Management Console with the IAM service and navigate to the Users page.
Select Add users.
Enter the user name: SnykCraUser.
Select Programmatic access as the Access type.
Choose to go next with permission and tags.
Review and create the user.
Once the user is created, save its credentials (Access Key ID and Secret Access Key) for later use.
From the user's Summary page, copy the User ARN for later use.
Example: arn:aws:iam::aws-account:user
or SnykCraUser
In the newly created user page, in the Permissions tab create an Inline policy.
In Service choose STS.
In Actions choose Write→AssumeRole.
In Resources choose All resources (you will harden the resources in a later step).
In the JSON tab verify that the policy contains the following statement:
Review the policy and provide a policy name: SnykCraAssumeRolePolicy.
Choose to create the policy.
When you are running the Container Registry Agent image, the credentials could be provided by setting the following environment variables:
AWS_ACCESS_KEY_ID=User access key ID
AWS_SECRET_ACCESS_KEY=User secret access key
In this step, you will create a Role in the account in which your ECR repositories reside. This Role will allow read-only access to your repositories and could be assumed by the Role created in the previous step.
Go to AWS to log in to the AWS Management Console with the IAM service and navigate to the Policies page.
Create a new policy.
Choose to edit the JSON data.
Delete the default data and in its place copy and paste the following:
Choose to review the policy.
Set AmazonEC2ContainerRegistryReadOnlyForSnyk as the Name.
Set Provides Container Registry Agent with read-only access to Amazon EC2 Container Registry repositories as the description.
Choose to create the policy.
From the AWS Management Console again, navigate to the Roles page. Log in if needed to navigate to the AWS Management Console.
Create a new role.
Select AWS service as the trusted entity and EC2 as the service for this Role.
Choose to go next with permission.
Check the policy AmazonEC2ContainerRegistryReadOnlyForSnyk on the list.
Choose to go next with tags and review.
Set SnykEcrServiceRole as the Name.
Set Allows EC2 instances to call ECR AWS services on your behalf as the Description.
This step hardens the usability of the Snyk ECR Service Role so that it could be assumed only by the Container Registry Agent IAM Role or IAM Role.
Again from the Roles page, find and select the SnykEcrServiceRole to enter the Role configurations.
Select the Trust relationships tab.
Edit the trust relationship.
Delete all of the data and replace it with the following JSON:
In Statement.Principal.AWS enter the IAM Role or IAM User created in the Step 1 .
Example: arn:aws:iam::aws-account:user
or SnykCraEc2Role
OR arn:aws:iam::aws-account:role
or SnykCraUser
, respectively
In Condition.StringEquals.sts:ExternalId you may use an external ID of your choice, which will be used when the credentials object is provided to the Broker Client.
To support multiple external IDs, enter a list of IDs in a square brackets.
Example: sts:ExternalId: [ 11111111-1111-1111-1111-111111111111, 22222222-2222-2222-2222-222222222222 ]
Update the trust policy.
This step hardens the usability of the IAM Role or IAM User used by the Container Registry Agent so that it could assume only the SnykEcrServiceRole.
Copy the Role ARN key that appears at the top of the Summary section of the SnykEcrServiceRole.
In the AWS account where the IAM Role or IAM User was created for running the Container Registry Agent, edit the SnykCraAssumeRolePolicy:
If an IAM Role was created, go to Roles and choose the SnykCraEc2Role role.
In the SnykCraAssumeRolePolicy choose to edit the JSON.
Add the role ARN of SnykEcrServiceRole as the resource:
Resource: Role ARN of SnykEcrServiceRole
IF an IAM User was created, go to Users and choose the SnykCraUser user.
In the SnykCraAssumeRolePolicy choose to edit the JSON
Add the role ARN of SnykEcrServiceRole as the resource:
Resource: Role ARN of SnykEcrServiceRol
If the Container Registry Agent needs to access multiple ECR registries found in different accounts, you must add a separate item to the Statement list, so that each ECR account has a separate statement, for example:
In this step, the Role ARN of the SnykEcrServiceRole _**_will be used by providing it to the Broker Client. The broker client will pass it to the Container Registry Agent, which will assume it to connect to ECR.
Copy the Role ARN key that appears at the top of the Summary section of the SnykEcrServiceRole.
When running the Broker Client, provide the following environment variables to allow the Container Registry Agent to access your ECR account. No username and password are needed.
CR_TYPE=ecr
CR_ROLE_ARN=the role ARN of SnykEcrServiceRole
CR_REGION=AWS Region of ECR
CR_EXTERNAL_ID=Optional. The external ID found in the trust relationship condition