Merge pull request #6948 from devtron-labs/feat/ecr-cross-account-assume-role

fix: streamline AWS session creation and improve error handling

Author: Ash-exp

internal/util/EcrService.go

@@ -21,7 +21,6 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/credentials"
-	"github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
 	"github.com/juju/errors"
@@ -33,26 +32,22 @@ func CreateEcrRepo(repoName string, reg string, accessKey string, secretKey stri
 	region := reg
 	//fmt.Printf("repoName %s, reg %s, accessKey %s, secretKey %s\n", repoName, reg, accessKey, secretKey)
 
-	var creds *credentials.Credentials
+	var sess *session.Session
+	var err error
 
 	if len(accessKey) == 0 || len(secretKey) == 0 {
-		//fmt.Println("empty accessKey or secretKey")
-		sess, err := session.NewSession(&aws.Config{
+		// Case 1: IAM role — use default credential chain (IRSA, instance profile, task role, env vars)
+		sess, err = session.NewSession(&aws.Config{
 			Region: &region,
 		})
-		if err != nil {
-			log.Println(err)
-			return err
-		}
-		creds = ec2rolecreds.NewCredentials(sess)
 	} else {
-		creds = credentials.NewStaticCredentials(accessKey, secretKey, "")
+		// Case 2: Static credentials
+		creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
+		sess, err = session.NewSession(&aws.Config{
+			Region:      &region,
+			Credentials: creds,
+		})
 	}
-
-	sess, err := session.NewSession(&aws.Config{
-		Region:      &region,
-		Credentials: creds,
-	})
 	if err != nil {
 		log.Println(err)
 		return err

pkg/pipeline/DockerRegistryConfig.go

@@ -19,6 +19,10 @@ package pipeline
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
 	"github.com/devtron-labs/common-lib/securestore"
 	bean2 "github.com/devtron-labs/devtron/api/helm-app/gRPC"
 	client "github.com/devtron-labs/devtron/api/helm-app/service"
@@ -27,9 +31,6 @@ import (
 	"github.com/devtron-labs/devtron/pkg/sql"
 	"github.com/go-pg/pg"
 	"k8s.io/utils/strings/slices"
-	"net/http"
-	"strings"
-	"time"
 
 	"github.com/devtron-labs/devtron/internal/constants"
 	"github.com/devtron-labs/devtron/internal/sql/repository/dockerRegistry"
@@ -906,6 +907,10 @@ func (impl DockerRegistryConfigImpl) ValidateRegistryCredentials(bean *types.Doc
 		bean.RegistryType == repository.REGISTRYTYPE_OTHER {
 		return nil
 	}
+	// Verify credentials only for chart OCI registry using helm registry login, as for container OCI registry
+	if _, ok := bean.OCIRegistryConfig[repository.OCI_REGISRTY_REPO_TYPE_CHART]; !ok {
+		return nil
+	}
 	request := &bean2.RegistryCredential{
 		RegistryUrl:  bean.RegistryURL,
 		Username:     bean.Username,

scripts/sql/35904700_ecr_assume_role.down.sql

@@ -0,0 +1,6 @@
+/*
+ * Copyright (c) 2025. Devtron Inc.
+ */
+
+ALTER TABLE public.docker_artifact_store
+    DROP COLUMN IF EXISTS assume_role_arn;

scripts/sql/35904700_ecr_assume_role.up.sql

@@ -0,0 +1,7 @@
+/*
+ * Copyright (c) 2025. Devtron Inc.
+ */
+
+-- Add assume_role_arn column to docker_artifact_store for cross-account ECR access via STS AssumeRole
+ALTER TABLE public.docker_artifact_store
+    ADD COLUMN IF NOT EXISTS assume_role_arn VARCHAR(300) DEFAULT '';