Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy-Operator Fails to Refresh AWS ECR Token, Results in Policy Download Failure #2390

Open
anainfosec opened this issue Jan 22, 2025 · 0 comments
Open

Trivy-Operator Fails to Refresh AWS ECR Token, Results in Policy Download Failure #2390

anainfosec opened this issue Jan 22, 2025 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@anainfosec
Copy link

Steps to Reproduce and what happened:

Deploying an aquasecurity/trivy-operator helm chart with version

apiVersion: v2
name: trivy-operator
description: trivy-operator
type: application
version: 0.23.0

Expected Behavior:

The AWS token used by Trivy-Operator should automatically refresh when it expires, allowing the operator to successfully download the policy bundles without manual intervention.

Actual Behavior:

It is happened only with Trivy-Operator
The operator fails to refresh the AWS token, and the policy download fails with the following error:

{"level":"error","ts":"2025-01-22T06:13:27Z","logger":"policyLoader.Get misconfig bundle policies","msg":"failed to load policies","error":"failed to download policies: failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://123456789012.dkr.ecr.ap-southeast-1.amazonaws.com/v2/ghcr.io/aquasecurity/trivy-checks/blobs/sha256:abc123def4567890ghijz9876543210abcdef1234567890abcedf: DENIED: Your authorization token has expired. Reauthenticate and try again.","stacktrace":"github.com/aquasecurity/trivy-operator/pkg/policy.(*policyLoader).GetPoliciesAndBundlePath\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/loader.go:63\ngithub.com/aquasecurity/trivy-operator/pkg/policy.(*Policies).loadPolicies\n\t/home/runner/work/trivy-operator/trivy-operator/pkg/policy/policy.go:145\ngithub.com/aquasecurity/trivy-operator/pkg/policy.

Additional Information:

  • The issue seems to be related to the failure of Trivy-Operator to automatically refresh the AWS ECR token.

  • We have confirmed that the IAM role has the appropriate permissions, but the token is not being refreshed as expected.

  • Manual token refreshing works correctly.

Environment:

  • Trivy-Operator version (use trivy-operator version): "0.23.0"
  • Kubernetes version (use kubectl version): v1.31.4-eks-2d5f260
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): Ubuntu 24.04
@anainfosec anainfosec added the kind/bug Categorizes issue or PR as related to a bug. label Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@anainfosec