image-copy-ecr: avoid spammy misleading error log when pushing to cgr…

….dev (#210) ``` // Ordering matters here, as the first keychain that can resolve the resource will be used. // When pushing to CGR we want to try the Chainguard keychain first, since the ECR keychain // logs a misleading error message when it's invoked for a non-ECR registry. The CGR keychain // does not log such an error, so it's better to try it first. ``` Signed-off-by: Jason Hall <jason@chainguard.dev>
chainguard-dev · Aug 22, 2024 · 6181fda · 6181fda
1 parent ab16fc9
commit 6181fda
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/image-copy-ecr/main.go b/image-copy-ecr/main.go
@@ -131,8 +131,12 @@ func handler(ctx context.Context, levent events.LambdaFunctionURLRequest) (resp
 	src := "cgr.dev/" + body.Repository + ":" + body.Tag
 	dst := filepath.Join(env.FullDstRepo, filepath.Base(body.Repository)) + ":" + body.Tag
 	kc := authn.NewMultiKeychain(
-		amazonKeychain,
+		// Ordering matters here, as the first keychain that can resolve the resource will be used.
+		// When pushing to CGR we want to try the Chainguard keychain first, since the ECR keychain
+		// logs a misleading error message when it's invoked for a non-ECR registry. The CGR keychain
+		// does not log such an error, so it's better to try it first.
 		cgKeychain{env.Issuer, env.Region, env.Identity},
+		amazonKeychain,
 	)
 	if env.ImmutableTags {
 		dig, err := crane.Digest(src, crane.WithAuthFromKeychain(kc))