使用 Python Lambda 函数的 AWS ECR 图像标签

Question

I am using a python lambda function to add an image tag to ECR images using boto3. The following code works and adds the desired tag to the specified image. However, targeting a different image with a different test event removes the previously applied tag from the last image. I have tried 3 different repos, as well as cross account and local account lambda functions.

For example, these are three image tags within repository "test-repo":

1. 1.0.0.1
2. 1.0.0.2
3. 1.0.0.3

I run the test event for 1.0.0.1, and the following tags are now present:

1. DELETEON_2020-03-06, 1.0.0.1
2. 1.0.0.2
3. 1.0.0.3

When I run the test event for any other image, in this example 1.0.0.2, this is what happens:

1. 1.0.0.1
2. DELETEON_2020-03-06, 1.0.0.2
3. 1.0.0.3

I would expect the code to apply the tag to 1.0.0.1, and then when I run it for 1.0.0.2, it just adds the tag to that image as well. I don't see why it is removing the previously applied tag. I need to be able to apply the DELETEON tag to all identified vulnerable images. Is there something I am not seeing or understanding about the boto3 ECR methods, ECR itself, or perhaps this is a bug?

    import json
    import boto3
    import datetime
    from datetime import timedelta

    def lambda_handler(event, context):
        acct = event['account']
        date = datetime.date.today()
        repo = event['detail']['repository-name']
        digest = event['detail']['image-digest']
        imagetag = event['detail']['image-tags'][0]
        client = boto3.client('ecr')
        dayint = datetime.date.today() + datetime.timedelta(days=3)
        deletetag = dayint.strftime("%Y-%m-%d")

        response = client.batch_get_image(
            registryId=acct,
            repositoryName=repo,
            imageIds=[
                {
                    'imageDigest': digest,
                    'imageTag': imagetag
                }
            ]
        )
        putresponse = client.put_image(
                    registryId=acct,
                    repositoryName=repo,
                    imageManifest=response['images'][0]['imageManifest'],
                    imageTag='DELETEON_' + deletetag
                )

Here is the sample test event (I switch out the image-digest and image-tag to target different images in the same repo):

{
  "version": "0",
  "id": "1111111111-22222222222-3333333333333",
  "detail-type": "ECR Image Scan",
  "source": "aws.ecr",
  "account": "111111111111",
  "time": "2020-02-14T22:41:19Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:ecr:us-east-1:111111111111:repository/test-repo"
  ],
  "detail": {
    "scan-status": "COMPLETE",
    "repository-name": "test-repo",
    "image-digest": "sha256:111111111111111111111111111111111111111111111111111",
    "image-tags": [
      "1.0.0.1"
    ],
    "finding-severity-counts": {
      "HIGH": 12,
      "MEDIUM": 46,
      "INFORMATIONAL": 84,
      "LOW": 72,
      "UNDEFINED": 6
    }
  }
}

Answer 1

In your example, the tags have exactly the same value: DELETEON_2020-03-06 . They are the same tag. In a Docker repo, a tag can only point to one thing. Tags are unique identifiers. You can't have the same tag pointing to multiple Docker images. If that was allowed, then what would happen when you ran the command: docker run my-image:DELETEON_2020-03-06 ?

When you are apply that tag to one image, and it already points to another image, Docker is automatically moving that tag. Thus Docker tags are not appropriate for this specific use case. I think your best bet for storing these delete dates is going to be in a separate location outside of ECR, for example a DynamoDB table.