$ aws_adfs_auth
Username: <ntid>
Password: <password>
<<ROLE SELECTION>>
In this example we want to test the capabilites of an AMS service so we'll create a new block in ~/.aws/credentials
that looks like:
[ams_service]
role_arn = arn:aws:iam::794055897284:role/LambdaCreated/ECSTaskRun
source_profile = saml
$ export AWS_PROFILE=ams_service
aws sts get-caller-identity
We want to pull an image from 756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13
(in test01) using a role from int01. The ECR repository should have a policy that looks like:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "pod_access",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::899712721709:root",
"arn:aws:iam::794055897284:root"
]
},
"Action": [
"ecr:ListImages",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
]
}
]
}
$(aws ecr get-login --registry-ids 756134506823 --no-include-email --region us-east-1)
and test a pull:
docker pull 756134506823.dkr.ecr.us-east-1.amazonaws.com/xh-cloud/alpine-oracle-java:8-server-jre-181b13