eclipse-jkube · ash-thakur-rh · Nov 26, 2025 · Nov 26, 2025 · Nov 27, 2025 · Nov 27, 2025
@@ -25,6 +25,7 @@ Usage:
 * Fix #3591: Fix windows line endings for yaml literal blocks, json serialization config updated
 * Fix #3781: Native Generator does not work in Windows system, always finds multiple native executable
 * Fix #2286: Remove Guava dependency where ever possible
+* Fix #3732: ECR registry Auth with AWS SDK java v2
 * Fix #3809: Actuator liveness and readiness probe not getting generated with Spring boot 4.x.x
 * Fix #3707: Setting readOnly flag in VolumeConfig has no effect
 * Fix #1458: Consideration of "ssl.enabled" properties to enable liveness/readiness probe for Spring Boot Actuator

@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+/**
+ * Abstract base class for AWS SDK helpers.
+ * Contains common functionality shared between AWS SDK v1 and v2 helpers.
+ */
+abstract class AbstractAwsSdkHelper implements AwsSdkAuthHelper {
+  protected static final String ACCESS_KEY_ID = "AWS_ACCESS_KEY_ID";
+  protected static final String SECRET_ACCESS_KEY = "AWS_SECRET_ACCESS_KEY";
+  protected static final String SESSION_TOKEN = "AWS_SESSION_TOKEN";
+  protected static final String CONTAINER_CREDENTIALS_RELATIVE_URI = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI";
+  protected static final String METADATA_ENDPOINT = "ECS_METADATA_ENDPOINT";
+
+  @Override
+  public String getAwsAccessKeyIdEnvVar() {
+    return System.getenv(ACCESS_KEY_ID);
+  }
+
+  @Override
+  public String getAwsSecretAccessKeyEnvVar() {
+    return System.getenv(SECRET_ACCESS_KEY);
+  }
+
+  @Override
+  public String getAwsSessionTokenEnvVar() {
+    return System.getenv(SESSION_TOKEN);
+  }
+
+  @Override
+  public String getAwsContainerCredentialsRelativeUri() {
+    return System.getenv(CONTAINER_CREDENTIALS_RELATIVE_URI);
+  }
+
+  @Override
+  public String getEcsMetadataEndpoint() {
+    return System.getenv(METADATA_ENDPOINT);
+  }
+}
@@ -21,44 +21,52 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+/**
+ * Factory for creating AWS authentication configuration using AWS SDK.
+ * Supports both AWS SDK v1 and v2 through the AwsSdkHelper abstraction.
+ */
 public class AwsSdkAuthConfigFactory {
+  private final KitLogger log;
+  private final AwsSdkHelper awsSdkHelper;
 
-    private final KitLogger log;
-    private final AwsSdkHelper awsSdkHelper;
+  public AwsSdkAuthConfigFactory(KitLogger log, AwsSdkHelper awsSdkHelper) {
+    this.log = log;
+    this.awsSdkHelper = awsSdkHelper;
+  }
 
-    public AwsSdkAuthConfigFactory(KitLogger log, AwsSdkHelper awsSdkHelper) {
-        this.log = log;
-        this.awsSdkHelper = awsSdkHelper;
-    }
+  /**
+   * Create authentication configuration from AWS SDK default credentials provider.
+   * Automatically works with both AWS SDK v1 and v2.
+   *
+   * @return AuthConfig with AWS credentials or null if credentials cannot be retrieved
+   */
+  public AuthConfig createAuthConfig() {
+    try {
+      log.debug("Attempting to get AWS credentials from SDK %s", awsSdkHelper.getSdkVersion());
+      AuthConfig authConfig = awsSdkHelper.getAuthConfigFromDefaultCredentialsProvider();
 
-    public AuthConfig createAuthConfig() {
-        try {
-            Object credentials = awsSdkHelper.getCredentialsFromDefaultAWSCredentialsProviderChain();
-            if (credentials == null) {
-                return null;
-            }
+      if (authConfig == null) {
+        log.debug("No AWS credentials found from SDK default credentials provider");
+        return null;
+      }
 
-            return AuthConfig.builder()
-                    .username(awsSdkHelper.getAWSAccessKeyIdFromCredentials(credentials))
-                    .password(awsSdkHelper.getAwsSecretKeyFromCredentials(credentials))
-                    .email("none")
-                    .auth(awsSdkHelper.getSessionTokenFromCrendentials(credentials))
-                    .build();
-        } catch (Exception t) {
-            String issueTitle = null;
-            try {
-                issueTitle = URLEncoder.encode("Failed calling AWS SDK: " + t.getMessage(), UTF_8.name());
-            } catch (UnsupportedEncodingException ignore) {
-            }
-            log.warn("Failed to fetch AWS credentials: %s", t.getMessage());
-            if (t.getCause() != null) {
-                log.warn("Caused by: %s", t.getCause().getMessage());
-            }
-            log.warn("Please report a bug at https://github.com/eclipse-jkube/jkube/issues/new?%s",
-                    issueTitle == null ? "" : "title=?" + issueTitle);
-            log.warn("%s", t);
-            return null;
-        }
+      log.debug("Successfully retrieved AWS credentials from SDK %s", awsSdkHelper.getSdkVersion());
+      return authConfig;
+    } catch (Exception t) {
+      String issueTitle = null;
+      try {
+        issueTitle = URLEncoder.encode("Failed calling AWS SDK: " + t.getMessage(), UTF_8.name());
+      } catch (UnsupportedEncodingException ignore) {
+      }
+      log.warn("Failed to fetch AWS credentials using SDK %s: %s", awsSdkHelper.getSdkVersion(), t.getMessage());
+      if (t.getCause() != null) {
+        log.warn("Caused by: %s", t.getCause().getMessage());
+      }
+      log.warn("Please report a bug at https://github.com/eclipse-jkube/jkube/issues/new?%s",
+          issueTitle == null ? "" : "title=?" + issueTitle);
+      log.debug("Exception details: %s", t);
+      return null;
     }
+  }
 
 }
@@ -0,0 +1,79 @@
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at:
+ *
+ *     https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *   Red Hat, Inc. - initial API and implementation
+ */
+package org.eclipse.jkube.kit.build.service.docker.auth.ecr;
+
+import org.eclipse.jkube.kit.build.api.auth.AuthConfig;
+
+/**
+ * Interface for AWS SDK authentication helpers.
+ * Supports both AWS SDK v1 and v2 through reflection to avoid hard dependencies.
+ */
+public interface AwsSdkAuthHelper {
+
+  /**
+   * Check if AWS SDK is present in the classpath.
+   *
+   * @return true if AWS SDK is available, false otherwise
+   */
+  boolean isAwsSdkAvailable();
+
+  /**
+   * Get AWS SDK version.
+   *
+   * @return version string (e.g., "v1", "v2")
+   */
+  String getSdkVersion();
+
+  /**
+   * Get AWS Access Key ID from environment variable.
+   *
+   * @return AWS Access Key ID or null
+   */
+  String getAwsAccessKeyIdEnvVar();
+
+  /**
+   * Get AWS Secret Access Key from environment variable.
+   *
+   * @return AWS Secret Access Key or null
+   */
+  String getAwsSecretAccessKeyEnvVar();
+
+  /**
+   * Get AWS Session Token from environment variable.
+   *
+   * @return AWS Session Token or null
+   */
+  String getAwsSessionTokenEnvVar();
+
+  /**
+   * Get AWS Container Credentials Relative URI from environment variable.
+   *
+   * @return relative URI or null
+   */
+  String getAwsContainerCredentialsRelativeUri();
+
+  /**
+   * Get ECS Metadata Endpoint.
+   *
+   * @return ECS metadata endpoint URL
+   */
+  String getEcsMetadataEndpoint();
+
+  /**
+   * Get AWS credentials using default credentials provider chain.
+   *
+   * @return AuthConfig with credentials or null if not available
+   */
+  AuthConfig getCredentialsFromDefaultCredentialsProvider();
+}