mossy pike
Im required to sign container images the pipeline produce, using notation and aws signing profiles. I have been following https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-steps.html but i got stuck on auth. Usual
.with_registry_auth(address=container_artifact_registry, username="AWS", secret=aws_ecr_token)
does not work. help needed please. there is a better way to do this or what im missing. thanks in advance
I have also tried doing it manually like
notation_version = "1.2.0"
sign = (
dag.container(platform=Platform("linux/amd64"))
.from_("alpine/curl")
.with_workdir("/tmp")
.with_exec([
"curl", "-Lf", f"https://github.com/notaryproject/notation/releases/download/v{notation_version}/notation_{notation_version}_linux_amd64.tar.gz",
"-o", "notation_linux_amd64.tar.gz"
])
.with_exec(["tar", "xvzf", "notation_linux_amd64.tar.gz", "-C", "/usr/local/bin"])
.with_exec(["notation", "version"])
.with_exec([
"notation", "plugin", "install",
"--url", "https://d2hvyiie56hcat.cloudfront.net/linux/amd64/plugin/latest/notation-aws-signer-plugin.zip",
"--sha256sum", "cccfe8fdcdf853d83fd57ffc80524eddda75ad7ae9d9a257b087007230ec02f9"
])
.with_exec([
"curl", "-Lf", "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.9.0/linux-amd64/docker-credential-ecr-login",
"-o", "/usr/local/bin/docker-credential-ecr-login",
])
.with_exec(["chmod", "+x", "/usr/local/bin/docker-credential-ecr-login"])
.with_new_file("/root/.docker/config.json", "{\"credsStore\": \"ecr-login\"}")
.with_env_variable("AWS_ACCESS_KEY_ID", await self.aws_access_key_id.plaintext())
.with_env_variable("AWS_SECRET_ACCESS_KEY", await self.aws_secret_access_key.plaintext())
.with_exec([
"notation", "sign", f"{self.account_id}.dkr.ecr.{self.region}.amazonaws.com/{artifact}@{digest}",
"--id", f"arn:aws:signer:{self.region}:{self.account_id}:/signing-profiles/{signing_profile_name}",
"--plugin", "com.amazonaws.signer.notation.plugin",
])
)