Hey everyone! I've got a home Kubernetes setup (not on AWS) and I'm using a cronjob to refresh my ECR login token and update a Kubernetes secret so I can pull images from AWS ECR. The cronjob runs 'aws ecr get-login-password' and updates the secret in the appropriate namespace. While it works fine, it feels a bit hacky, and I'm surprised there's no more native integration for ECR when you're not running on AWS.
As I understand it, when you're on EKS or AWS EC2, using IAM roles (like IRSA) makes authentication to ECR seamless. However, on-prem setups like mine don't have that handoff, requiring manual updates or cronjobs with image pull secrets. I'm curious if in 2025 this is still considered the best or most common solution? Is there a cleaner method I could adopt before committing to using a cronjob long term? Thanks for any insights!
3 Answers
Try using the external secrets operator! It has an ECRAuthorizationToken resource that will authenticate against AWS, updating your Kubernetes secret with the needed ECR credentials. It's pretty much like your cron script, but way less hacky!
You might want to look into IAM Roles Anywhere with TLS certificates. It could streamline your authentication process as per the documentation on AWS. It sounds like a viable solution, though from what I gathered, you'd still need a cronjob to refresh the ECR login token, just switching out AWS credentials for managing CA and client certs. Might be a bit much for your home setup, but definitely consider it for more secure environments!
Thanks for this suggestion! I hadn't heard of IAM Roles Anywhere before and it seems interesting. However, it looks like I'd still need the cronjob, which feels a bit overkill for a home cluster setup.
Are you saying you don’t need AWS Private CA anymore? I was under the impression it was required. Have you tried it without that setup? Is it good?
Have you checked out the Kubelet Image Credential Provider feature introduced in 1.33? It's enabled by default and allows you to use environment variables for credentials or set up IRSA, which isn't too complicated for home clusters. This could eliminate the need for a cronjob!
This sounds like exactly what I need. Thanks for sharing! I'm currently using MicroK8s, which doesn't make kubelet config easy, so it might be a challenge to implement. But it's a great reason to think about switching to a distro that supports it better!
I've been using the Kubelet Credential Provider since 1.31 and it's been fantastic! Just an additional note that it's part of the transition from the in-tree cloud provider, so you're on the right track.
This looks like a solid option, especially since it works seamlessly with MicroK8s! I'm going to give it a shot and let you know how it goes.