Skip to content

OCI: Downloading policy images from AWS private repository failure #7092

Open
@carabasdaniel

Description

@carabasdaniel

Trying to use a policy image from an AWS private repository fails to download all image layers. Getting a 400 Bad Request when trying to download the blob.

Steps to reproduce:

  1. Create configuration file:
services:
      ghcr:
        url: https://**.dkr.ecr.us-east-2.amazonaws.com
        type: "oci"
        response_header_timeout_seconds: 5
        credentials:
          bearer:
            token: "AWS:$TOKEN"
            scheme: "Basic"
    bundles:
      todo:
        service: ghcr
        resource: "**.dkr.ecr.us-east-2.amazonaws.com/testnamespace/test-repo:1.0.0"
        persist: false
        config:
          polling:
            min_delay_seconds: 60
            max_delay_seconds: 120
  1. Set your TOKEN using the AWS cli aws ecr get-login-password --region us-east-2
  2. Run opa run -c <config.yaml> -l debug

From my initial investigation it seems that only the tarball layer fails to download while the manifest and config layer are loaded.

I've also tried using the rest aws plugin but getting the same results.

Can someone please take a look at what might be the cause of this issue and if there is a possible workaround ?

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions