search

awslabs / amazon-ecr-credential-helper

Automatically gets credentials for Amazon ECR on docker push/docker pull
Apache License 2.0
2.48k stars 336 forks source link

Not working with IMDSv2 #323

Closed waiyanmin95 closed 5 hours ago

waiyanmin95 commented 2 years ago

OS: Ubuntu 20.04

I'm facing the issue ( can't use amazon-ecr-credential-helper ) with EC2 IMDSv2. I used the EC2 Instance profile and attached it to the EC2 instance.

danwashusen commented 2 years ago

It would be really great if the debug logging around IMDS was improved while this is being 'fixed'. It look us far too long to figure out this was the issue...

ptrdlbrg commented 2 years ago

I hit this problem too. I changed IMDSv2 session tokens to "required" and then amazon-ecr-credential-helper version 0.6.0 stopped returning credentials. When I set the IMDS session tokens back to "optional" then the credential helper started returning credentials again.

I looked back in the issues and found #215 which indicates that amazon-ecr-credential-helper should work with IMDSv2 since version 0.5.0. I'm not sure if this is a regression or if this functionality didn't work even in 0.5.0.

kholisrag commented 1 year ago

same for me,

trying using imds v2 but still got result : 

$ echo "xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com" | docker-credential-ecr-login get

credentials not found in native keychain

any workaround to fix this issue?

adkafka commented 1 year ago

I had this issue as well, but I noticed that my version of docker-credential-ecr-login was old:

$ docker-credential-ecr-login -v
amazon-ecr-credential-helper
Version:    0.3.1
Git commit: b4a1707

I updated the binary in-place, after installing:

$ sudo curl https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login -o `which docker-credential-ecr-login`
$ sudo chmod +x `which docker-credential-ecr-login`

And now it is working as expected on a machine that only supports IMDSv2!

ptrdlbrg commented 2 days ago

Version testing

I launched the latest Ubuntu 20.04 AMI on AWS and did a apt install -y amazon-ecr-credential-helper and I confirmed that the version installed was 0.3.1. My testing confirms that that version does NOT work with IMDSv2, but it was never advertised to. Only 0.5.0 and higher are supposed to work with IMDSv2.

I launched the latest Debian 12 AMI on AWS and did a apt install -y amazon-ecr-credential-helper. That installs version 0.6.0. My testing confirms that that version DOES work with IMDSv2.

I also tested with each of the binaries downloaded directly from the links at https://github.com/awslabs/amazon-ecr-credential-helper/releases. My tests confirm that 0.4.0 doesn't work with IMDSv2, but 0.5.0 and all later versions do work with IMDSv2.

My comment from 2022 indicates that either the amazon-ecr-credential-helper package was mislabeled as 0.6.0 but didn't contain the 0.6.0 code, or I was somehow mistaken as to the version I installed. Since others had similar problems around the same time, I tend to think I wasn't mistaken, but it doesn't matter now.

Solution

Either use a distro whose APT repo contains version 0.5.0 or higher, or directly download the docker-credential-ecrl-login binary from the links on the releases page as @adkafka did.

Since there are no changes needed in this repo, I suggest that this issue be closed.

henry118 commented 5 hours ago

Closing this issue as suggested. IMDSv2 is available on v0.5.0+.