gitlab container scanner can't install aws-cli

Question

In the gitlab CI docs (https://docs.gitlab.com/ee/user/application_security/container_scanning/), it states you can scan ECR using the following:

container_scanning:
  before_script:
    - ruby -r open-uri -e "IO.copy_stream(URI.open('https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip'), 'awscliv2.zip')"
    - unzip awscliv2.zip
    - ./aws/install
    - aws --version
    - export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)

include:
  - template: Security/Container-Scanning.gitlab-ci.yml
    DOCKER_IMAGE: <aws_account_id>.dkr.ecr.<region>.amazonaws.com/<image>:<tag>
    DOCKER_USER: AWS
    DOCKER_PASSWORD: "$AWS_ECR_PASSWORD"

When I add the "before_script", i get the following:

inflating: aws/dist/cryptography-3.3.2-py3.9.egg-info/LICENSE  
  inflating: aws/dist/cryptography-3.3.2-py3.9.egg-info/WHEEL  
   creating: aws/dist/cryptography/hazmat/
   creating: aws/dist/cryptography/hazmat/bindings/
  inflating: aws/dist/cryptography/hazmat/bindings/_openssl.abi3.so  
$ ./aws/install
mkdir: cannot create directory ‘/usr/local/aws-cli’: Permission denied
Uploading artifacts for failed job
00:00
Uploading artifacts...
WARNING: gl-container-scanning-report.json: no matching files 

seems it doesn't have permissions. Is there another way to get it to work? Thanks!

Answer 1

The container_scanning job (by default) uses the docker image registry.gitlab.com/security-products/container-scanning:4

You can also see this image specifies its user as gitlab, which implies to me that the user in the image, unlike most images you might traditionally use, does not have root privileges by default.

This user will, therefore, not have permission to write to /usr/local/

You can probably work around this by using sudo

- sudo ./aws/install

(or as you stated, you can direct the installation to another location that doesn't require elevated permissions to write to by using -i and -b flags for the installer).