The credential helper (docker-credential-osxkeychain) has nothing for server URL

[reynico]

Environment:

• Jib version: 3.2.0
• Build tool: Gradle 7.3.3
• OS: Mac OS X 14.5 x86_64

Description of the issue: Hey there, I'm facing problems reproducing a local environment. The project is Gradle-based, and I use JIB to build the containers. The base image is OpenJDK, stored in a private ECR Repository. The image we source in JIB is a manifest containing two images (an image index), one for arm64 and one for amd64.

The .docker/config.json:

% cat ~/.docker/config.json
{
        "auths": {
                "xxx.dkr.ecr.us-east-2.amazonaws.com": {}
        },
        "credsStore": "osxkeychain"
}

and the docker-credential-osxkeychain has the URL information (or that's what I imagine from the output):

% docker-credential-osxkeychain list
{"https://xxx.dkr.ecr.us-east-2.amazonaws.com":"AWS"}

What I found is, if I remove the digest from the docker image in the jib config, i.e.:

-        image = "xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk:17@sha256:yyyy"
+        image = "xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk:17"

Jib works as expected and actually pulls the correct tag with the removed digest:

Using base image with digest: sha256:yyyy

One thing to note here is that yyyy is the digest for the manifest.

Expected behavior: Jib should be able to get the base image with the digest hash as well.

jib-gradle-plugin Configuration:

    from {
        image = "https://xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk:17@sha256:yyyy"
        platforms {
            platform {
                architecture = 'amd64'
                os = 'linux'
            }
            platform {
                architecture = 'arm64'
                os = 'linux'
            }
        }
    }

Log output:

The base image requires auth. Trying again for xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk:17
The credential helper (docker-credential-osxkeychain) has nothing for server URL: xxx.dkr.ecr.us-east-2.amazonaws.com

Got output:

The user name or passphrase you entered is not correct.

...

> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Build image failed, perhaps you should make sure your credentials for 'xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk' are set
 up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help

Additional Information:

• Using the digest for the amd64 (my architecture on this laptop) will work as expected.
• It's really hard to reproduce this problem on my laptop; this only fails until you fix it once (temporarily removing the sha256 digest and building the docker image). Once this is done, you can revert the change and let the sha256 digest there, and the builds will always work. I even do a docker system prune -a, delete gradle cache, and delete JIB cache.

[reynico]

Closing this issue for now, as I think I found the cause.

JIB likes the following format: the human-readable image tag is not present, and the image is referenced by just its digest @sha256:yyyy.

image = "xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk@sha256:yyyy"

which is confusing at best because if you revert that line to the one that includes the image tag as 17@sha256:yyyy, it continues to work.

[chanseokoh]

Just to be clear, you shouldn't include https:// in image.

-image = "https://xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk:17@sha256:yyyy"
+image = "xxx.dkr.ecr.us-east-2.amazonaws.com/openjdk:17@sha256:yyyy"