How to authenticate Argo CD Image Updater with ECR without external script? (credentials not refreshing)

[anishbista60]

Kind: question

Description

Hi team,

I am using Argo CD Image Updater v1.0.0 and currently authenticating to AWS ECR using an external script mounted into the Image Updater pod.

This is the current setup:

ecr.sh

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-image-updater-ecr-script
  namespace: argocd-image-updater-system
data:
  ecr.sh: |
    #!/bin/sh
    aws ecr --region us-east-1 get-authorization-token --output text --query 'authorizationData[].authorizationToken' | base64 -d

registries.conf

registries:
  - name: ECR
    api_url: https://<account_id>.dkr.ecr.us-east-1.amazonaws.com
    prefix: <account_id>.dkr.ecr.us-east-1.amazonaws.com
    ping: yes
    insecure: no
    credentials: ext:/app/ecr.sh
    credsexpire: 12h

The script is mounted into the Image Updater pod:

        - mountPath: /app
          name: ecr-script
      volumes:
      - configMap:
          name: argocd-image-updater-ecr-script
          defaultMode: 0777
        name: ecr-script

---

Problem

This setup works initially, but after 12 hours the Image Updater fails to authenticate to ECR.

The relevant error in logs:

Couldn't set registry: failed to authenticate with ECR

If I restart the Image Updater pod manually, everything starts working again.

It looks like the external-credentials script is not being re-executed when the token expires—even though credsexpire: 12h is set.

---

Questions

1. Why doesn't Image Updater refresh ECR credentials automatically?
   Is this a known issue with ext: credential providers?

2. What is the recommended way to authenticate Image Updater to ECR?
   I would like to get rid of the script-based approach.

   I was expecting to use:

   • AWS IRSA (IAM Roles for Service Accounts)
   • service account annotations like:
     eks.amazonaws.com/role-arn: arn:aws:iam::<account>:role/...

   But I couldn't find clear documentation on how Image Updater supports IRSA directly.

---

Request

Could you please confirm:

• Whether IRSA is supported for Image Updater ECR authentication?
• If yes, are there any official examples or documentation?
• If not, is this feature planned?

Thanks!

---

[anishbista60]

@dkarpele Could you please help me ? It quiet urgent and we are facing issue in both dev and prod.

[tom-zen]

@anishbista60
Using External Secrets, grant read/pull permissions for role's argocd-image-updater (using IRSA)

1. Create kind: ECRAuthorizationToken (ecr-auth-token)

apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-auth-token
  namespace: argocd
spec:
  region: ap-southeast-1
  auth:
    jwt:
      serviceAccountRef:
        name: argocd-image-updater

2. Create kind: ExternalSecret (ecr-docker)

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: ecr-docker
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: ecr-auth-token
  refreshInterval: 11h
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: ecr-docker
    template:
      data:
        .dockerconfigjson: |
          {
            "auths": {
              "<your-account-id>.dkr.ecr.ap-southeast-1.amazonaws.com": {
                "username": "{{ .username }}",
                "password": "{{ .password }}",
                "auth": "{{ printf "%s:%s" .username .password | b64enc }}"
              }
            }
          }
      type: kubernetes.io/dockerconfigjson

3. Add in registries.conf:

  registries:
    - ...
      credentials: pullsecret:argocd/ecr-docker

[anishbista60]

@tom-zen Thank you it did the setup. It was working yesterday evening. Now, today morning it says the token expires could get the registry tag.

[anishbista60]

I think this is the issue :

• refreshInterval: 11h means the token is refreshed before expiry once, but after the next 12-hour expiry the refresh is still 11 hours away → causing failures.

[anishbista60]

time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/gateway-kong controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=gateway image_digest="sha256:0dc306ff9ca33a492e5529367b16b5bdb984aff921f80a850b918848b4b116e6" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/gateway image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/leaderboard-server controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=leaderboard-server image_digest="sha256:70d541083c3931af9b2b78cf234aed3c8281efc182171b167629abe17986c1c5" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/leaderboard-server image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/frontend controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=frontend image_digest="sha256:5edb46cd9de0ec3495fdeb4cb926d4f28ad1a895ba52242cc06c40b59175398c" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/frontend image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/leaderboard-client controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=leaderboard-client image_digest="sha256:5e322e891a4439ab745855fd1a504b7296559f49bb30e7fb1b8f28011b7c20a4" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/leaderboard-client image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/redteam-proxy controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=redteam-proxy image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/redteam-proxy image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com image_tag=dev-v1.1.127-1764130957 logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/gateway-kong controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=gateway-migrations image_digest="sha256:0dc306ff9ca33a492e5529367b16b5bdb984aff921f80a850b918848b4b116e6" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/gateway image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/gateway-kong controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=gateway-migrations-up image_digest="sha256:0dc306ff9ca33a492e5529367b16b5bdb984aff921f80a850b918848b4b116e6" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/gateway image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=error msg="Could not get tags from registry: denied: Your authorization token has expired. Reauthenticate and try again." application=argocd/gateway-kong controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd image_alias=gateway-deck-sync image_digest="sha256:f184a296ef1beb10a564816398525e0b0742dfce2cc779b093b9b932eda91e4c" image_name=<account_id>.dkr.ecr.us-east-1.amazonaws.com/enkryptai-dev/gateway-sync image_registry=<account_id>.dkr.ecr.us-east-1.amazonaws.com logger=reconcile
time="2025-11-27T01:19:43Z" level=info msg="Processing results: applications=6 images_considered=9 images_skipped=0 images_updated=0 errors=9" controller=imageupdater controllerGroup=argocd-image-updater.argoproj.io controllerKind=ImageUpdater imageUpdater_name=all-apps-image-updater imageUpdater_namespace=argocd logger=reconcile

[anishbista60]

Following above approach i am still getting token expired error.

Can any one help me to resolve this issue ?

[anishbista60]

Sharing my whole manifest here :

---
apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-auth-token
  namespace: argocd-image-updater-system
spec:
  region: us-east-1
  auth:
    jwt:
      serviceAccountRef:
        name: argocd-image-updater-controller
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ecr-docker
  namespace: argocd-image-updater-system
spec:
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: ECRAuthorizationToken
        name: ecr-auth-token
  refreshInterval: 1h
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    name: ecr-docker
    template:
      data:
        .dockerconfigjson: |
          {
            "auths": {
              "188451452903.dkr.ecr.us-east-1.amazonaws.com": {
                "username": "{{ .username }}",
                "password": "{{ .password }}",
                "auth": "{{ printf "%s:%s" .username .password | b64enc }}"
              }
            }
          }
      type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-image-updater-config
    app.kubernetes.io/part-of: argocd-image-updater-controller
  name: argocd-image-updater-config
  namespace: argocd-image-updater-system
data:
  log.level: info
  registries.conf: |
    registries:
    - name: ECR
      api_url: https://<account_id>.dkr.ecr.us-east-1.amazonaws.com
      prefix:<account_id>.dkr.ecr.us-east-1.amazonaws.com
      ping: yes
      insecure: no
      credentials: pullsecret:argocd-image-updater-system/ecr-docker
---

[anishbista60]

When i restart the pod, it will again start working for next 12 hours. But it should be dynamic right ?

[dkarpele]

@anishbista60 Have you seen this article https://aws.plainenglish.io/aws-ecr-argocd-automate-helm-chart-access-with-cross-account-token-rotation-582efe20a748?
#112

[anishbista60]

@dkarpele once secret is modified. Does image updater pod pull latest token ? It need manual restart of the pod to pull the new token.

Configmap look like

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-image-updater-config
    app.kubernetes.io/part-of: argocd-image-updater-controller
  name: argocd-image-updater-config
  namespace: argocd-image-updater-system
data:
  log.level: info
  registries.conf: |
    registries:
    - name: ECR
      api_url: https://<account_id>.dkr.ecr.us-east-1.amazonaws.com
      prefix:<account_id>.dkr.ecr.us-east-1.amazonaws.com
      ping: yes
      insecure: no
      credentials: pullsecret:argocd-image-updater-system/ecr-docker

[anishbista60]

So, i have setup the cron job to delete the ecr-docker secret every 11 hours. Since, this secret is created by ESO, it will create the recreate the secret with new token. But when secret changes image updater pod should trigger reconcile loop again . so that it can read the new token .

Now, my question is how to make sure that when ecr-docker changes then pod will load the latest token ?

[anishbista60]

Closing this issue: Use reloader to rollout/restart the image updater deployment whenever there will be changes in the secret.

[dkarpele]

@anishbista60 just want to clarify. Did you try this setup with annotation-based version 0.17? Does it work?

[anishbista60]

@anishbista60 just want to clarify. Did you try this setup with annotation-based version 0.17? Does it work?

Didn'get it. Could you please clarify a bit more and which version 0.17 you are talking about ?