[Bug]: OCI registry with AWS ECR about flipt HOT 9 OPEN

A possible solution to this problem is:

• Disable cache when aws-ecr is chosen as we know the ECR API will always return a 403 when to token has expired
• Modify the ECR struct to keep track when the token expire and renew the auth token some minutes before

from flipt.

I could work on this if needed

from flipt.

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

from flipt.

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

from flipt.

In fact it doesn't reach the challange piece of code, oras has this check:

if resp.StatusCode != http.StatusUnauthorized {
    return resp, nil
}

Source

In this bug the response status is "Forbidden" which will make the if statement condition to pass

@thepabloaguilar thanks for reporting! would this be a bug in ORAS then that we could open/issue a patch for? or do you think its only related to how we are using the ORAS client?

from flipt.

That's a great question @markphelps, I think it's not ORAS issue since it's behaving as it should be as the challange is only returned by Forbidden status code. I do think it's an AWS Issue, at least for my understanding because I think if my token is expired I'm not forbbiden, I'm unauthorized, I no longer have a valid token so I don't have access to anything

from flipt.

Hey @thepabloaguilar.

Thank you for the report.

I still need to read more AWS docs when http code 403 could be returned to finalize it. What do you think about #3044?

I like @erka 's solution here! Just need to update to add the header like @thepabloaguilar mentioned

from flipt.

Me too @markphelps, that should be enough

from flipt.