Uable to push image to Cross account ECR

[ngoyal16]

Actual behavior

We are trying to push the image to ECR which exist in another account 2. Push Permission has been granted to the account 1 using resource policy. If we push using docker with aws ecr creds helper it is working but with kaniko it seems not working following are the logs from kaniko

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED].dkr.ecr.[MASKED].amazonaws.com/test:latest": Post "https://[MASKED].dkr.ecr.[masked].amazonaws.com/v2/test/blobs/uploads/": EOF

logs from .ecr/log/* folder

time="2022-08-25T17:39:43Z" level=debug msg="Retrieving credentials" region=[MASKED] registry=[MASKED] serverURL=[MASKED].dkr.ecr.[MASKED].amazonaws.com service=ecr time="2022-08-25T17:39:43Z" level=debug msg="Checking file cache" registry=[MASKED] time="2022-08-25T17:39:43Z" level=debug msg="Calling ECR.GetAuthorizationToken" registry=[MASKED] time="2022-08-25T17:39:43Z" level=debug msg="Saving credentials to file cache" registry=[MASKED] service=ecr

[michaelsatish]

I aws able to get around the cross-account push by mounting the aws config file and switching profile names. I building the image in dev account and pushing to the staging account. Hope this helps.

apiVersion: v1
kind: ConfigMap
metadata:
  name: kaniko-aws-config
  labels:
    app: kaniko
data:
  config: |
    [profile default]
    region = us-east-1
    role_arn = arn:aws:iam::<account-id>:role/<role-name>
    web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token

    [profile staging]
    region = us-east-1
    role_arn = arn:aws:iam::<account-id>:role/<role-name>
    source_profile = default

Container Spec

image: gcr.io/kaniko-project/executor:debug
env:
  - name: AWS_SDK_LOAD_CONFIG
    value: "true"
  - name: AWS_CONFIG_FILE
    value: "/root/.aws/config"
  - name: AWS_PROFILE
    value: staging
volumeMounts:
  - name: aws-config
    mountPath: /root/.aws/config
    subPath: config

[delwaterman]

I've run into this issue as well

[philippebn]

Hi, I'm actually running this error, I'm actually unable pushing img to ECR with cross account. I getting EOF error.

[dev-whoan]

Any Updates?

[QuentinBtd]

Hi

I had something similar using Kaniko in a pod on AWS EKS.

I have multiple profiles in the .aws/config file.

[profile default]
max_attempts = 10
web_identity_token_file = /var/run/secrets/eks.amazonaws.com/serviceaccount/token
role_arn = arn:aws:iam::111111111111:role/default-role

[profile services]
max_attempts = 10
source_profile = default
role_arn = arn:aws:iam::222222222222:role/children-role

default-role in account 111111111111 is allowed to assume children-role in account 222222222222.

children-role is authorized to push in an 222222222222 ECR, but not default-role.

To make push working:

• set AWS_PROFILE to services and AWS_REGION to my AWS region
• unset AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE env var because these variables are added to pod by EKS and used in priority by SDK (I guess).