The purpose of the document is to describe the use case where images are stored on AWS ECR.
AWS ECR requires a specific procedure to log in to ECR repository, a temporary password needs to be created with a fixed 12 hours before expiring.
AWS ECR web service to store images.
Steps to create account:
- On AWS customer console create an IAM account with ECR read only privileges
- Generate the temporary password by using AWS CLI
- Create/update a scan docker-type account on HIAB
Create IAM Account on AWS Console
To create an IAM Account on AWS Console:
- Log in to AWS console.
- Select IAM.
- Select Users in the left-hand side tab then click on Add user.
- Provide a user name such as ECR_user_read_only and select Programmatic access then click on Next: Permissions.
- Under Set permission select Attach existing policies directly and Search for Registry then check the box
To create a profile on AWS CLI , do the following:
aws configure --profile hiab, and put hiab as profile or any other profile name that may better suit you.
- Then enter the Access Key ID and Secret Access Key that where generated in step 7 in the Create IAM Account on AWS Console section.
- Then enter the region name where your ECR repositories are located, ignore the last entry.
Check the profile you entered by typing
aws configure --profile hiab(or the profile name from step 1).
When the profile is configured, a temporary password can be generated which is required to access ECR repository through docker by doing the following:
Run the command
aws ecr get-login-password --profile hiab --region <our_ecr_repository_region>, and copy the output.
When done you shall have a password which is valid during 12 hours.
It should be something like:
Create a Scan Docker-type Account on HIAB
To create a Scan Docker-type Account on a HIAB:
- Log in to the HIAB.
- Select Portal in the Main Menu.
- On the portal click on the account button in the upper right corner to open account options.
- On Account select Credentials.
- On Credentials click on Add credential in the lower right corner.
- On Add credentials, Select Docker type account.
- Fill in the name, example: ECR-repository.
- I the Docker registry enter the aws ecr, if you do not know it you can retrieve from the AWS console (ECR service). The URL shall be something like where xxxxxxxxx refers to your AWS account and yyyy the region where your ECR repository is located. example: .
- Enter AWS as username.
- Paste the temporary password in the Password field. (See section Generate Temporary Password from AWS CLI on how to generate the password.)
- Click on ADD.
Once these steps has been performed, a new docker account is created. When more docker accounts are created on HIAB, a docker discovery can be performed to retrieve the list of images located on your registries and to perform a docker scan on any discovered images.
Troubleshooting When Scanning ECR Repository
The ECR requires a temporary password which expires after 12 hours.
When the password has expired, the following errors are displayed on HIAB:
- On a docker discovery, the discovery fails with Failed to get images from docker registry. 403 Forbidden error message.
- On a image scan, the scan fails with message Login failure.
ECR Scan Examples
Docker discovery configuration.
Docker discovery scan.
Docker discovery result, for example assets.
Docker image scan configuration.
Docker image scan.
Docker image scan result, for example findings/vulnerabilities.