search

aws / aws-toolkit-azure-devops

AWS Toolkit for Azure DevOps
Other
245 stars 104 forks source link

ECRPushImage - Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException #547

Closed rowanfreeman-acutro closed 6 months ago

rowanfreeman-acutro commented 7 months ago

Describe the bug

I get the following error when using the ECRPushImage@1 task to push and image to my AWS ECR.

Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException: The security token included in the request is invalid

The full log in Azure DevOps looks like this

Starting: ECRPushImage
==============================================================================
Task         : Amazon ECR Push
Description  : Push a Docker image to an Amazon Elastic Container Registry on AWS
Version      : 1.14.0
Author       : Amazon Web Services
Help         : Please refer to [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/) documentation for working with this service.

More information on this task can be found in the [task reference](https://docs.aws.amazon.com/vsts/latest/userguide/ecr-pushimage.html).

####Task Permissions
This task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):
* ecr:DescribeRepositories
* ecr:CreateRepository
* ecr:GetAuthorizationToken
==============================================================================
Configuring credentials for task
...configuring AWS credentials from service endpoint '[redacted]'
...configuring AWS credentials from service endpoint '[redacted]'
...endpoint defines role-based credentials for role ***.
Configuring region for task
...configured to use region ap-southeast-4, defined in task.
Pushing image 'discord-musicbot:89'
Obtaining authentication token for ECR login
##[error]Error: Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException: The security token included in the request is invalid
Finishing: ECRPushImage

To reproduce

  1. Use the following task in azure-pipelines.yml
- task: ECRPushImage@1
  inputs:
    awsCredentials: "AWS ECR"
    regionName: $(AWS_REGION)
    imageSource: "imagename"
    sourceImageName: $(DOCKER_REPOSITORY_NAME)
    sourceImageTag: $(tag)
    pushTag: latest
    repositoryName: $(DOCKER_REPOSITORY_NAME)
  1. Create a user in IAM
  2. Create a role and assign it the following policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability",
                "ecr:CompleteLayerUpload",
                "ecr:DescribeImages",
                "ecr:DescribeRepositories",
                "ecr:GetDownloadUrlForLayer",
                "ecr:InitiateLayerUpload",
                "ecr:ListImages",
                "ecr:PutImage",
                "ecr:UploadLayerPart"
            ],
            "Resource": "[redacted - ECR ARN]"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        }
    ]
}

Expected behavior

Obtaining an authentication token for ECR login should be successful and the image should be pushed to the container repository.

Screenshots

Your Environment

Additional context

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::[redacted]:user/Azure-DevOps"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
rowanfreeman-acutro commented 6 months ago

I finally figured this out. I believe the problem has to do with assuming a role with STS but I'm in an Australian region.

aws