2

Usecase: Get ECR Authorization token --> Work with ECR (using this token) --> Revoke Token. Continue this cycle on-demand.

Reason To avoid leaving tokens (after use) for the default lifetime of 12 hours.

Have looked up AWS doco here and doco for get-authorization-token and available ecr commands but coudln't find a way to revoke.

For instance, Docker Trusted Registry allows you to revoke access tokens anytime as documented here

kiran01bm
  • 682
  • 7
  • 18
  • 2
    The fact that it's not possible to revoke an ECR token seems like a massive security risk to me. –  Jan 04 '20 at 00:33
  • Have raised a feature request https://github.com/aws/containers-roadmap/issues/936 – kiran01bm Jun 10 '20 at 14:27

1 Answers1

3

As of December 2019, there is no way to do this.

Another feature the ECR team could add is the ability to specify a token lifetime that's shorter than 12 hours. This may be easier for some people to use than remembering to revoke a token after use.

I'd raise a feature request in their roadmap here: https://github.com/aws/containers-roadmap.

jtoberon
  • 8,706
  • 1
  • 35
  • 48
  • yeah token lifetime definitely helps but my use case was specific to be able to revoke any active token on demand. – kiran01bm Dec 13 '19 at 00:45