Unable to execute 'verify' command with private ECR image when the regions of the ECS cluster and ECR are different

[tk3fftk]

What happened?

Unable to execute 'verify' command with private ECR image when the regions of the ECS cluster and ECR are different.
This may means the region in ecspresso.yaml and the region of container image registry are different. It may happens even if using another account and another region.

$ cat ecspresso.yaml | grep region
region: ap-south-1
$ cat ecs-task-def.json | grep image
      "image": "<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/some-image:latest",

$ ecspresso verify --config ecspresso.yml --debug
2024/01/09 18:44:56 [INFO] ecspresso version: v2.3.1
2024/01/09 18:44:56 super-cluster/service [DEBUG] config file path: ecspresso.yml
2024/01/09 18:44:56 super-cluster/service [DEBUG] timeout: 10m0s
2024/01/09 18:44:56 super-cluster/service [DEBUG] dispatching subcommand: verify
2024/01/09 18:44:57 super-cluster/service [INFO] failed to assume role to taskExecutionRole. Continue to verify with current session. operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 5b4fefaf-d659-43e2-bbe9-6b8d6c3e8287, api error AccessDenied: (snip)
2024/01/09 18:44:57 super-cluster/service Starting verify
  TaskDefinition
    ExecutionRole[arn:aws:iam::<my_aws_account_id>:role/ecsTaskExecutionRole]
    --> [OK]
    TaskRole[arn:aws:iam::<my_aws_account_id>:role/somerole]
    --> [OK]
    ContainerDefinition[some-image]
      Image[<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/some-image:latast]
2024/01/09 18:44:58 super-cluster/service [DEBUG] VERIFY ECR Image
2024/01/09 18:44:59 super-cluster/service [DEBUG] image=<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/some-image tag=latest
      --> [NG] 400 Bad Request
    --> [NG] verify Image[<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/some-image:latest] failed: 400 Bad Request
  --> [NG] verify ContainerDefinition[some-image] failed: verify Image[<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/some-image:latest] failed: 400 Bad Request
2024/01/09 18:44:59 [ERROR] FAILED. verify TaskDefinition failed: verify ContainerDefinition[some-image] failed: verify Image[<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/some-image:latest] failed: 400 Bad Request

This error message is same with following command:

$ aws ecr get-login-password --region ap-south-1 | docker login --username AWS --password-stdin "<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com" 
Error response from daemon: login attempt to https://<my_aws_account_id>.dkr.ecr.ap-northeast-1.amazonaws.com/v2/ failed with status: 400 Bad Request

Version

v2.3.1

Expected Behavior

Enable to execute 'verify' with private ECR image when the regions of the ECS cluster and ECR are different.

[fujiwara]

@tk3fftk Thank you for the reporting!

Currently, the ecspresso verifier uses ecr.Client of the same region with ECS, so the client seems to fail to verify images in another region.

ecspresso/verify.go

Line 51 in e55d05e

ecr: ecr.NewFromConfig(*execCfg),

ecspresso/verify.go

Line 386 in e55d05e

out, err := d.verifier.ecr.GetAuthorizationToken(

I'll fix this.