Today I finally took the time to find some info that I’ve wondered about for…too long.
The Open Container Initiative governs the interfaces around containers. In particular, for today, I want to understand the specification for interacting with registries, like ECR.
Hey, guess what? The OCI specs are all in github! Here are the API endpoints for a registry.
The spec doesn’t appear to define authentication - only that it might exist. That means it’s up to the registry host to define authentication.
According to the spec, I can validate whether or not the registry implements
the OCI spec by hitting the /v2/ endpoint:
$ curl -v https://$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/v2/
...
< HTTP/1.1 401 Unauthorized
< Docker-Distribution-Api-Version: registry/2.0
< Sizes:
< Www-Authenticate: Basic realm="https://000000000000.dkr.ecr.us-east-1.amazonaws.com/",service="ecr.amazonaws.com"
...
Not Authorized
Today, I also learned about the Www-Authenticate
header,
which hints at how to authenticate. This particular header indicates a basic
auth
scheme,
which means I should try again with the Authorization: Basic $BASE64_ENCODED_TOKEN header set, where $BASE64_ENCODED_TOKEN is the
authorization I got by following the instructions from the registry to
authenticate.
In the case of ECR, to authenticate, I’d do this:
aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
However, I’m presumably trying to use curl because I don’t have the ability to
use docker, for some reason. If you do, just authenticate with docker login ... and then check ~/.docker/config.json for your registry and grab the auth
for the correct registry. That is what ECR is looking for. In my case, I need
to find another way to authenticate.
Thankfully, the ECR documentation has other ways to get an authentication token. Basing off of these docs, I came up with the following command:
aws ecr get-authorization-token --output text --region $AWS_REGION --query 'authorizationData[].authorizationToken' --registry-ids $AWS_ACCOUNT_ID
And now this results in a 200 OK:
curl https://$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/v2/ -H "Authorization: Basic $(aws ecr get-authorization-token --output text --region $AWS_REGION --query 'authorizationData[].authorizationToken' --registry-ids $AWS_ACCOUNT_ID)"