From 6b85605285f466fdff1cc76ef3fbffe23ea48770 Mon Sep 17 00:00:00 2001
From: Carlos Sanchez <carlos@apache.org>
Date: Sat, 21 Dec 2019 12:54:14 +0100
Subject: [PATCH 1/2] Push to ECR using instance roles

Add instructions

Fixes #785
---
 README.md | 74 ++++++++++++++++++++++++++++++-------------------------
 1 file changed, 40 insertions(+), 34 deletions(-)

diff --git a/README.md b/README.md
index 1dd6d6c6e4..ed1968cbc3 100644
--- a/README.md
+++ b/README.md
@@ -345,12 +345,13 @@ Run kaniko with the `config.json` inside `/kaniko/.docker/config.json`
 The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built in to the kaniko executor image.
 To configure credentials, you will need to do the following:
 
-1. Update the `credHelpers` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration) with the specific URI of your ECR registry:
+1. Update the `credHelpers` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration) with the specific URI of your ECR registry,
+replacing AWS_ACCOUNT_ID and REGION:
 
   ```json
   {
     "credHelpers": {
-      "aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
+      "AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com": "ecr-login"
     }
   }
   ```
@@ -361,42 +362,47 @@ To configure credentials, you will need to do the following:
   kubectl create configmap docker-config --from-file=<path to config.json>
   ```
 
-2. Create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
+2. Configure credentials
 
-  To create the secret, run:
+    1. You can use instance roles when pushing to ECR from a EC2 instance or from EKS, by [configuring the instance role permissions](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html).
 
-  ```shell
-  kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
-  ```
+    2. Or you can create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
+    To create the secret, run:
+        ```shell
+        kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
+        ```
 
-  The Kubernetes Pod spec should look similar to this, with the args parameters filled in:
-
-  ```yaml
-  apiVersion: v1
-  kind: Pod
-  metadata:
-    name: kaniko
-  spec:
-    containers:
-    - name: kaniko
-      image: gcr.io/kaniko-project/executor:latest
-      args: ["--dockerfile=<path to Dockerfile within the build context>",
-              "--context=s3://<bucket name>/<path to .tar.gz>",
-              "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
-      volumeMounts:
-        - name: aws-secret
-          mountPath: /root/.aws/
-        - name: docker-config
-          mountPath: /kaniko/.docker/
-    restartPolicy: Never
-    volumes:
-      - name: aws-secret
-        secret:
-          secretName: aws-secret
+The Kubernetes Pod spec should look similar to this, with the args parameters filled in.
+Note that `aws-secret` volume mount and volume are only needed when using AWS credentials from a secret, not when using instance roles.
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kaniko
+spec:
+  containers:
+  - name: kaniko
+    image: gcr.io/kaniko-project/executor:latest
+    args: ["--dockerfile=<path to Dockerfile within the build context>",
+            "--context=s3://<bucket name>/<path to .tar.gz>",
+            "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
+    volumeMounts:
       - name: docker-config
-        configMap:
-          name: docker-config
-  ```
+        mountPath: /kaniko/.docker/
+      # when not using instance role
+      - name: aws-secret
+        mountPath: /root/.aws/
+  restartPolicy: Never
+  volumes:
+    - name: docker-config
+      configMap:
+        name: docker-config
+    # when not using instance role
+    - name: aws-secret
+      secret:
+        secretName: aws-secret
+```
 
 ### Additional Flags
 

From 16aff6a97429a99bf553746afa481524fb1f6f31 Mon Sep 17 00:00:00 2001
From: Carlos Sanchez <carlos@apache.org>
Date: Sat, 21 Dec 2019 13:06:47 +0100
Subject: [PATCH 2/2] Using credsStore is simpler

and we don't need to push to multiple registries likely
---
 README.md | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index ed1968cbc3..4631bf785e 100644
--- a/README.md
+++ b/README.md
@@ -345,15 +345,10 @@ Run kaniko with the `config.json` inside `/kaniko/.docker/config.json`
 The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built in to the kaniko executor image.
 To configure credentials, you will need to do the following:
 
-1. Update the `credHelpers` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration) with the specific URI of your ECR registry,
-replacing AWS_ACCOUNT_ID and REGION:
+1. Update the `credsStore` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration):
 
   ```json
-  {
-    "credHelpers": {
-      "AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com": "ecr-login"
-    }
-  }
+  { "credsStore": "ecr-login" }
   ```
 
   You can mount in the new config as a configMap: