feat: Add EKS Pod Identity support to Amazon ECR login action (#624, #735)

[ddukbg]

Issue Number:
#624, #735

---

Overview

This PR adds support for Amazon EKS Pod Identity in the amazon-ecr-login GitHub Action. Previously, the action failed when running in an EKS Pod Identity environment because the AWS SDK attempted to use the container metadata service, which resulted in the error:
169.254.170.23 is not a valid container metadata service hostname.

To address this, we now explicitly detect Pod Identity environments and use fromHttp() from @aws-sdk/credential-providers to authenticate, ensuring proper credential resolution.

Changes

1. Implement Pod Identity detection and authentication

• If the environment variable AWS_CONTAINER_CREDENTIALS_FULL_URI is set, we assume Pod Identity is being used.
• Instead of relying on the default credential chain, which fails in this case, we explicitly use:

  return fromHttp();

• For all other cases, we fall back to the default AWS credential chain.

2. Maintain support for IRSA and default authentication

• If Pod Identity is not detected, authentication remains unchanged.
• This ensures that existing workflows using IAM Roles for Service Accounts (IRSA) are not affected.

3. Successful Login, Pull, and Push Validation

Tested the new implementation in both Pod Identity and IRSA environments, ensuring that authentication, login, and image push to ECR work as expected.

Test Logs:

✅ Pod Identity Environment

{
    "UserId": "AROXXXXXX:eks-cluster-pod-identity",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/eks-cluster-pod-identity-role/session-id"
}

• Using fromHttp() authentication
• Successfully logged into Amazon ECR
• Docker image pull & push completed successfully

✅ IRSA Environment

{
    "UserId": "AROYYYYYY:botocore-session",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/eks-cluster-irsa-role/session-id"
}

• Using default AWS credential chain authentication
• Successfully logged into Amazon ECR
• Docker image pull & push completed successfully

---

Impact

• Fixes existing login failures for EKS Pod Identity environments.
• Ensures compatibility with existing workflows using IRSA or instance roles.
• No breaking changes for users who are not using Pod Identity.

---

Workaround Before This PR

Before this PR, users needed a workaround to prevent the action from attempting to use invalid metadata service credentials:

- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1
  env:
    AWS_CONTAINER_CREDENTIALS_FULL_URI: ''

With this PR, the action now correctly detects and uses Pod Identity authentication automatically.

---

Conclusion

This PR ensures that self-hosted GitHub Actions runners running inside Amazon EKS with Pod Identity can properly authenticate with Amazon ECR without requiring additional configuration.

Would appreciate any feedback, and thanks for reviewing this contribution! 🙌🚀

[ddukbg]

Hi @arjraman

I hope you're doing well.

I recently submitted a PR to the amazon-ecr-login repository, which adds support for EKS Pod Identity authentication. Given that this project hasn't had a review in some time, I wanted to kindly check if you might be available to review the changes.

The PR ensures that the action correctly handles authentication for EKS environments using Pod Identity, while maintaining support for IRSA and default credential chains. It includes comprehensive test coverage to validate the implementation.

If you are no longer maintaining this repository, I sincerely apologize for the inconvenience. In that case, could you kindly direct me to the appropriate person or team who might be responsible?

Thank you for your time, and I truly appreciate any feedback you can provide.

Best regards,