2

I am using a python lambda function to add an image tag to ECR images using boto3. The following code works and adds the desired tag to the specified image. However, targeting a different image with a different test event removes the previously applied tag from the last image. I have tried 3 different repos, as well as cross account and local account lambda functions.

For example, these are three image tags within repository "test-repo":

  1. 1.0.0.1
  2. 1.0.0.2
  3. 1.0.0.3

I run the test event for 1.0.0.1, and the following tags are now present:

  1. DELETEON_2020-03-06, 1.0.0.1
  2. 1.0.0.2
  3. 1.0.0.3

When I run the test event for any other image, in this example 1.0.0.2, this is what happens:

  1. 1.0.0.1
  2. DELETEON_2020-03-06, 1.0.0.2
  3. 1.0.0.3

I would expect the code to apply the tag to 1.0.0.1, and then when I run it for 1.0.0.2, it just adds the tag to that image as well. I don't see why it is removing the previously applied tag. I need to be able to apply the DELETEON tag to all identified vulnerable images. Is there something I am not seeing or understanding about the boto3 ECR methods, ECR itself, or perhaps this is a bug? 

    import json
    import boto3
    import datetime
    from datetime import timedelta

    def lambda_handler(event, context):
        acct = event['account']
        date = datetime.date.today()
        repo = event['detail']['repository-name']
        digest = event['detail']['image-digest']
        imagetag = event['detail']['image-tags'][0]
        client = boto3.client('ecr')
        dayint = datetime.date.today() + datetime.timedelta(days=3)
        deletetag = dayint.strftime("%Y-%m-%d")

        response = client.batch_get_image(
            registryId=acct,
            repositoryName=repo,
            imageIds=[
                {
                    'imageDigest': digest,
                    'imageTag': imagetag
                }
            ]
        )
        putresponse = client.put_image(
                    registryId=acct,
                    repositoryName=repo,
                    imageManifest=response['images'][0]['imageManifest'],
                    imageTag='DELETEON_' + deletetag
                )

Here is the sample test event (I switch out the image-digest and image-tag to target different images in the same repo):

{
  "version": "0",
  "id": "1111111111-22222222222-3333333333333",
  "detail-type": "ECR Image Scan",
  "source": "aws.ecr",
  "account": "111111111111",
  "time": "2020-02-14T22:41:19Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:ecr:us-east-1:111111111111:repository/test-repo"
  ],
  "detail": {
    "scan-status": "COMPLETE",
    "repository-name": "test-repo",
    "image-digest": "sha256:111111111111111111111111111111111111111111111111111",
    "image-tags": [
      "1.0.0.1"
    ],
    "finding-severity-counts": {
      "HIGH": 12,
      "MEDIUM": 46,
      "INFORMATIONAL": 84,
      "LOW": 72,
      "UNDEFINED": 6
    }
  }
}
Improve this question

1 Answer 1

Reset to default
2

In your example, the tags have exactly the same value: DELETEON_2020-03-06. They are the same tag. In a Docker repo, a tag can only point to one thing. Tags are unique identifiers. You can't have the same tag pointing to multiple Docker images. If that was allowed, then what would happen when you ran the command: docker run my-image:DELETEON_2020-03-06?

When you are apply that tag to one image, and it already points to another image, Docker is automatically moving that tag. Thus Docker tags are not appropriate for this specific use case. I think your best bet for storing these delete dates is going to be in a separate location outside of ECR, for example a DynamoDB table.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you Mark! Your explanation helped me resolve this issue by changing the following: imageTag='DELETEON_' + deletetag to imageTag=imagetag + ' DELETEON_' + deletetag This makes sure the applied delete tag will be unique and I won't have to rewrite all my code. :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.