AWS ECR provenance info creates confusing appearance of multi-arch images

Overview

When pushing images to Amazon Elastic Container Registry (ECR) using CircleCI workflows, users may encounter a confusing display in the ECR console. Specifically, the inclusion of provenance information (metadata that helps verify image authenticity) can make the UI appear as though multiple versions of the same image are present. This is especially problematic as the provenance metadata is displayed in a way that resembles separate (architecture specific) images in the ECR UI.

The problem

The issue stems from how AWS ECR currently handles provenance metadata. Each image pushed with provenance enabled includes this information as a unique entry in the UI. For single-architecture images, this creates the illusion of multiple versions of the same image, as shown in the example screenshot.

In the example, the ECR UI lists entries with Image Index and Image tags separately. Users might assume this represents multiple distinct images, but it is simply a side effect of provenance metadata being attached to the pushed image.

What is provenance?

Provenance metadata provides cryptographic information about the origin and authenticity of an image. It is a security feature designed to ensure the image has not been tampered with and to verify its source. While useful in secure environments, it can introduce visual clutter in the AWS ECR UI, especially when multi-architecture images are involved.

Solution

If provenance is not required for your use case, you can disable it to simplify the appearance of images in the ECR console. This can be achieved by adding --provenance=false to the extra_build_args parameter when using CircleCI’s build_and_push_image job.

Example CircleCI configuration

Below is an example of how to configure your CircleCI pipeline to disable provenance metadata:

version: '2.1'

orbs:
aws-cli: circleci/aws-cli@5.1.2
aws-ecr: circleci/aws-ecr@9.3.7

workflows:
build-and-push-image:
jobs:
- aws-ecr/build_and_push_image:
context: aws
auth:
- aws-cli/setup:
role_arn: arn:aws:iam::XXXXXXXXXXXX:role/CircleCI-OIDC-Role
profile_name: "OIDC-PROFILE"
repo: ecr-repo-name
extra_build_args: '--provenance=false'
account_id: 'XXXXXXXXXXXX'
region: us-east-1
profile_name: "ECR-ROLE"

Why disable provenance?

  • Simplified UI: Disabling provenance removes the extra metadata, making the ECR UI more intuitive and easier to navigate.
  • Avoid Confusion: Prevents users from mistaking provenance metadata entries for separate images.
  • Use Case Relevance: If you do not require cryptographic provenance for your images, disabling this feature reduces unnecessary complexity.

When should provenance be enabled?

  • Security and traceability are critical.
  • Your organization requires verifiable proof of image origin.
  • You are working in regulated environments where compliance requires image authenticity.

Conclusion

While provenance is a valuable security feature, it may cause confusion in the AWS ECR UI for certain workflows, especially with multi-architecture images. By disabling it when not needed, you can streamline your workflows and improve usability. For more information, see the related GitHub issue and refer to CircleCI’s documentation.

References

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.