I have put images in my AWS ECR. I want to pull image from edge device. If I use Access/Secret key in my edge device I can login to repository and access my images like below,
step-1: Add environment Variables
export AWS_ACCESS_KEY_ID=access-key
export AWS_SECRET_ACCESS_KEY=secret-key
export AWS_DEFAULT_REGION=ap-southeast-1
step-2: login to elastic container registry using following command.
aws ecr get-login-password --region ap-southeast-1 | docker login --username AWS --password-stdin repo-id.dkr.ecr.ap-southeast-1.amazonaws.com
step-3: Pull image
docker pull repo-id.dkr.ecr.ap-southeast-1.amazonaws.com/image_name
These steps ensure me to pull image from ECR.
Now, I don't want to store Access Key/ Secret on Edge Device. I am looking for some Session key/ temporary keys to access ECR image without stroing Access/Secret on edge device. In this flow I can eliminate storing highly confidential data to edge device.
Any help would be appreciable.
Edit- 1:
one possible way is writing a Lambda function to generate password for ECR and protect the lambda with API Key in API Gateway. From Edge Device I will call the lambda function and get password to pull image.
Will it work?
Unfortunately as your device is not located in AWS it will not be able to gain the benefit of having an IAM role directly attached to it (which solves the issue of non hard coded permissions).
You can however create an IAM role in AWS and then use the STS service to assume the role from another IAM user/role that has the permissions to assume the role. When you assume the role you are given temporary credentials to access the AWS services (you can decide the lifespan of the temporary credentials).
If you can find a method to copy these credentials to your local device you can then use them for the duration of their lifetime.