search

alexjurkiewicz / ecr-scan-image

Github Action to run AWS ECR vulnerability scan on Docker image
MIT License
28 stars 22 forks source link

Error: Missing credentials in config when using AWS_WEB_IDENTITY_TOKEN_FILE #16

Closed sbkg0002 closed 2 years ago

sbkg0002 commented 3 years ago

When using AWS Federation, the AWS_WEB_IDENTITY_TOKEN_FILE is set (and no AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY is used).

GHA:

# https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions
- name: Login to Amazon ECR
  id: login-ecr
  uses: aws-actions/amazon-ecr-login@v1

# https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions
- name: Build, tag, and push image to Amazon ECR
  env:
    # Static
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    IMAGE_TAG: ${{ github.sha }}
  run: |
    docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG docker/
    docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

# https://github.com/marketplace/actions/aws-ecr-scan-docker-image
- name: Scan Docker image
  id: docker-scan
  uses: alexjurkiewicz/ecr-scan-image@v1.6.1
  env:
    # Static
    ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
    IMAGE_TAG: ${{ github.sha }}
  with:
    repository: $ECR_REGISTRY/$ECR_REPOSITORY
    tag: $IMAGE_TAG
    fail_threshold: high

Both the login and the build&push succeed, but the scan fails with:

Error: Missing credentials in config

Any idea why this might fail?

Thanks in advance!

alexjurkiewicz commented 2 years ago

Probably the AWS SDK needs to be updated. Could you submit a pull request? 🙏

sbkg0002 commented 2 years ago

@alexjurkiewicz sure!

sbkg0002 commented 2 years ago

Thanks for the merge. Unfortunately, running alexjurkiewicz/ecr-scan-image@master doesn't fix it.

Error: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

I have zero knowledge about nodejs, but this seems to describe it? https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/TokenFileWebIdentityCredentials.html

alexjurkiewicz commented 2 years ago

I'm sorry, I'm not familiar with AWS web identity authorisation. You should be able to fork this repository and test potential fixes yourself. I figured you had done that for this pull request 😅

On Mon, 20 Sept 2021 at 22:36, Johan Steenhoven @.***> wrote:

Thanks for the merge. Unfortunately, running @.*** doesn't fix it.

Error: Missing credentials in config, if using AWS_CONFIG_FILE, set AWS_SDK_LOAD_CONFIG=1

I have zero knowledge about nodejs, but this seems to describe it? https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/TokenFileWebIdentityCredentials.html

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/alexjurkiewicz/ecr-scan-image/issues/16#issuecomment-922888625, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC4U5KAKJYI5NHTKVSEOCTUC4TFJANCNFSM5EIFCDJA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.