search

awslabs / amazon-ecr-credential-helper

Automatically gets credentials for Amazon ECR on docker push/docker pull
Apache License 2.0
2.48k stars 336 forks source link

Error using SSO: `The security token included in the request is invalid.` #311

Open gondalez opened 2 years ago

gondalez commented 2 years ago

Hi,

When 0.6.0 came out we started using amazon-ecr-credential-helper instead of logging in via aws ecr get-login-password. (Thank you for the work to support SSO 🙏)

Since then we have run into a perplexing issue. It works fine for some of our team, but others get an invalid request error in ~/.ecr/log/ecr-login.log:

time="2022-02-18T15:13:03+13:00" level=debug msg="couldn't get authorization token for default registry" error="ecr: Failed to get authorization token: operation error ECR: GetAuthorizationToken, https response error StatusCode: 400, RequestID: xxx, api error UnrecognizedClientException: The security token included in the request is invalid."

Because it seems machine-specific so we tried clearing all cache dirs and files under ~/.aws/ and ~/.ecr/ but the problem persists on the failing machine.

We have tried aws sso logout and then aws sso login.

Our aws sso accounts have exactly the same configuration for the team members that worked and that failed so it is does not seem to be a permissions error.

Also we were able to use the aws cli to perform the same operation that fails and received no error.

aws ecr get-authorization-token

{
    "authorizationData": [
        {
            "authorizationToken": "<snip>=",
            "expiresAt": "2022-02-19T02:26:08.356000+08:00",
            "proxyEndpoint": "https://<snip>.dkr.ecr.us-west-2.amazonaws.com"
        }
    ]
}

The error suggest the token is invalid, not that it is expired or that there is a permissions issue. My hunch is that the helper is extracting a token from the wrong place or not encoding it properly.

I'm hoping others have some insight?

We are running macs with Monterey, and for both the failing and the successful machines the config is this:

» docker version
Client:
 Cloud integration: v1.0.22
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:46:56 2021
 OS/Arch:           darwin/arm64
 Context:           default
 Experimental:      true

Server: Docker Desktop 4.5.0 (74594)
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:43:07 2021
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
» ls -lah /usr/local/bin/docker-credential-ecr-login
lrwxr-xr-x  1 root  wheel    75B  1 Dec 20:07 /usr/local/bin/docker-credential-ecr-login -> /Applications/Docker.app/Contents/Resources/bin/docker-credential-ecr-login
» docker-credential-ecr-login -v
amazon-ecr-credential-helper
Version:    0.6.0
Git commit: 69c85dc22db6511932bbf119e1a0cc5c90c69a7f
» aws --version
aws-cli/2.4.18 Python/3.9.10 Darwin/21.3.0 source/arm64 prompt/off
chriswyatt commented 1 year ago

I'm also on arm64 (Mac M1) and having a similar issue

zchenyu commented 1 year ago

Bump. Running into the same issue with SSO:

$ cat ~/.ecr/log/ecr-login.log
time="2023-04-28T12:20:09-07:00" level=debug msg="Retrieving credentials" region=us-east-1 registry=ACCOUNT_ID serverURL=ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com service=ecr
time="2023-04-28T12:20:09-07:00" level=debug msg="Checking file cache" registry=ACCOUNT_ID
time="2023-04-28T12:20:09-07:00" level=debug msg="Calling ECR.GetAuthorizationToken" registry=ACCOUNT_ID
time="2023-04-28T12:20:09-07:00" level=error msg="Error retrieving credentials" error="ecr: Failed to get authorization token: UnrecognizedClientException: The security token included in the request is invalid.\n\tstatus code: 400, request id: d7b1caf9-cea4-4910-aac9-024b9e97c8fa"
$ docker pull ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/eks-us-east-1:TAG
Error response from daemon: Head "https://ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/v2/REPO/manifests/TAG": no basic auth credentials
in-op commented 1 year ago

Bump also, same issue.

macOS Ventura 13.2.1, still on the intel silicon using the new 0.7.0 version too

in-op commented 1 year ago

I believe this commit fixed the problem as it was something in the dependency – however it's not yet in a new release.

Building directly from source fixes the issue for me.

Please make a new release of this lib :)

chrisk314 commented 1 year ago

I'm also hitting this issue. Using aws ecr get-login-password I can docker pull without any problems. I've installed from source just now using go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@latest and I still face this issue.

docker config.json as below.

{
  "credsStore": "ecr-login",
  "credHelpers": {
    "public.ecr.aws": "ecr-login",
    "X.dkr.ecr.eu-west-1.amazonaws.com": "ecr-login"
  }
}

Ubuntu 22.04 in Windows 11 WSL2

saugion commented 9 months ago

same here, it only works fine if i specify the AWS_PROFILE before the docker pull command. It's not getting the default profile otherwise.

Mac OS Sonoma 14.1.1

Edit: I solved it following these steps: https://github.com/awslabs/amazon-ecr-credential-helper/issues/229#issuecomment-1026149912 In particoular removing the credentials file from .aws folder

zelucena commented 4 weeks ago

I set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables to solve it... Since I had aws configure I think it should work out of the box