Push to ECR using instance roles

Add instructions

Fixes #785

README.md

@@ -345,12 +345,13 @@ Run kaniko with the `config.json` inside `/kaniko/.docker/config.json`
 The Amazon ECR [credential helper](https://github.com/awslabs/amazon-ecr-credential-helper) is built in to the kaniko executor image.
 To configure credentials, you will need to do the following:
 
-1. Update the `credHelpers` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration) with the specific URI of your ECR registry:
+1. Update the `credHelpers` section of [config.json](https://github.com/awslabs/amazon-ecr-credential-helper#configuration) with the specific URI of your ECR registry,
+replacing AWS_ACCOUNT_ID and REGION:
 
   ```json
   {
     "credHelpers": {
-      "aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
+      "AWS_ACCOUNT_ID.dkr.ecr.REGION.amazonaws.com": "ecr-login"
     }
   }
   ```
@@ -361,42 +362,47 @@ To configure credentials, you will need to do the following:
   kubectl create configmap docker-config --from-file=<path to config.json>
   ```
 
-2. Create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
+2. Configure credentials
 
-  To create the secret, run:
+    1. You can use instance roles when pushing to ECR from a EC2 instance or from EKS, by [configuring the instance role permissions](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html).
 
-  ```shell
+    2. Or you can create a Kubernetes secret for your `~/.aws/credentials` file so that credentials can be accessed within the cluster.
-  kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
+    To create the secret, run:
-  ```
+        ```shell
+        kubectl create secret generic aws-secret --from-file=<path to .aws/credentials>
+        ```
 
-  The Kubernetes Pod spec should look similar to this, with the args parameters filled in:
+The Kubernetes Pod spec should look similar to this, with the args parameters filled in.
+Note that `aws-secret` volume mount and volume are only needed when using AWS credentials from a secret, not when using instance roles.
 
-  ```yaml
+```yaml
-  apiVersion: v1
+apiVersion: v1
-  kind: Pod
+kind: Pod
-  metadata:
+metadata:
-    name: kaniko
+  name: kaniko
-  spec:
+spec:
-    containers:
+  containers:
-    - name: kaniko
+  - name: kaniko
-      image: gcr.io/kaniko-project/executor:latest
+    image: gcr.io/kaniko-project/executor:latest
-      args: ["--dockerfile=<path to Dockerfile within the build context>",
+    args: ["--dockerfile=<path to Dockerfile within the build context>",
-              "--context=s3://<bucket name>/<path to .tar.gz>",
+            "--context=s3://<bucket name>/<path to .tar.gz>",
-              "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
+            "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"]
-      volumeMounts:
+    volumeMounts:
-        - name: aws-secret
-          mountPath: /root/.aws/
-        - name: docker-config
-          mountPath: /kaniko/.docker/
-    restartPolicy: Never
-    volumes:
-      - name: aws-secret
-        secret:
-          secretName: aws-secret
       - name: docker-config
-        configMap:
+        mountPath: /kaniko/.docker/
-          name: docker-config
+      # when not using instance role
-  ```
+      - name: aws-secret
+        mountPath: /root/.aws/
+  restartPolicy: Never
+  volumes:
+    - name: docker-config
+      configMap:
+        name: docker-config
+    # when not using instance role
+    - name: aws-secret
+      secret:
+        secretName: aws-secret
+```
 
 ### Additional Flags