Open ip-sf opened 2 years ago
abronan
commented
2 years ago @ip-sf Which version of docker-credential-ecr-login are you using?
You can check this running docker-credential-ecr-login -v.
I had the same error (although this was using an SSO config) that was due to an outdated version of the tool installed via apt on Ubuntu. Doing a go install on latest (following the documentation) solved it.
robertkruk
commented
2 years ago i used the following
code ~/.docker/config.json
edit config.json
{
"auths": {
"account1111.dkr.ecr.ap-southeast-2.amazonaws.com": {},
"accountxxxx.dkr.ecr.ap-southeast-2.amazonaws.com": {},
"registry.gitlab.com": {}
},
"credsStore": "ecr-login"
}then
AWS_PROFILE=profile-name docker pull accountxxx.dkr.ecr.ap-southeast-2.amazonaws.com/foo/bar:latest
ymguerra
commented
1 year ago Hi @ip-sf , did you manage to solve this problem? I have the exact same issue
ghost
commented
1 year ago Hi @ip-sf , did you manage to solve this problem? I have the exact same issue
me too I'm dying inside
ip-sf
commented
1 year ago I did get it working, but I dont exactly remember what i had to do.
This is how it's configured in my nomad environment, and it is working.
I can check other config elements if needed, just let me know. Hopefully this helps. Sorry for the delay, i legit didnt see the notifications until today. I feel all of your pain and i want to help :)
plugin "docker" {
config {
auth {
config = "/etc/docker/config.json"
helper = "ecr-login"
}
}
}{
"credHelpers": {"<accountid>.dkr.ecr.us-west-2.amazonaws.com": "ecr-login"}
}{
"Statement": [
{
"Action": [
"ecr:ListTagsForResource",
"ecr:GetRepositoryPolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetLifecyclePolicy",
"ecr:GetDownloadUrlForLayer",
"ecr:DescribeRepositories",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribeImageReplicationStatus",
"ecr:BatchGetRepositoryScanningConfiguration",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability"
],
"Effect": "Allow",
"Resource": "arn:aws:ecr:*:<accountid>:repository/*",
"Sid": ""
},
{
"Action": [
"ecr:GetRegistryScanningConfiguration",
"ecr:GetRegistryPolicy",
"ecr:GetAuthorizationToken",
"ecr:DescribeRegistry",
"ecr:DescribePullThroughCacheRules"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}https://www.nomadproject.io/docs/drivers/docker#auth_soft_fail
job "job" {
group "group" {
task "task" {
driver = "docker"
config {
auth_soft_fail = true
}
}
}
}export GO_VER="1.18.4"
export ECR_HELPER_REPO="github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@latest"
export DEAFULT_ECR_HELPER_CFG="/etc/docker/config.json"
# Install docker-credential-ecr-login
# install go
wget -q https://go.dev/dl/go${GO_VER}.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go${GO_VER}.linux-amd64.tar.gz
sudo ln -s /usr/local/go/bin/go /usr/bin/go
go install $ECR_HELPER_REPO
# This will install to ~/go/bin, move it to somewhere $PATH will find
sudo mv go/bin/docker-credential-ecr-login /usr/bin/
# Default config.json for provisioning
sudo mkdir -p /etc/docker
sudo sh -c 'cat <<EOF >> ${DEAFULT_ECR_HELPER_CFG}
{
"credHelpers": {"<accountID>.dkr.ecr.<region>.amazonaws.com": "ecr-login"}
}
EOF
'I had the same error (although this was using an SSO config) that was due to an outdated version of the tool installed via apt on Ubuntu. Doing a go install on latest (following the documentation) solved it.
I do believe this was part of it. I am currently installing GO from source and then installing the helper via go directly.
See details in above post.
ghost
commented
1 year ago I had the same error (although this was using an SSO config) that was due to an outdated version of the tool installed via apt on Ubuntu. Doing a go install on latest (following the documentation) solved it.
I do believe this was part of it. I am currently installing GO from source and then installing the helper via go directly.
See details in above post.
@ip-sf You sir, are my hero :) I had ended up doing my own cronjob to refresh my creds, but your way is better. Thank you
apamildner
commented
1 year ago @ip-sf Hero status confirmed again today by solving our issue đŸ¥³
I have been beating my head against a wall, and every thing i search on google is now a purple link.
I am attempting to use this in conjunction with Nomad, but I cannot even get this working, let alone the issues with Nomad.
I am using an IAM policy attached to the role that is assigned to the EC2 instance I am attempting use. The IAM Policy is the standard
AmazonEC2ContainerServiceforEC2Role.When manually logging in using
aws ecranddocker loginI can push/pull just fine, so I think I've ruled out IAM related issues.However, trying to do the same while utilizing
docker-credential-ecr-loginfails.I have tried multiple variations of the following in
config.jsonI've tried each variation in the following locations, all with
644perms/root/.docker/config.json/etc/docker/config.json~/.docker/config.jsonDespite every effort, I get the following:
current env
Contents of /root/.aws/config, the only file in .aws/
I'm sure there is something really simple I am missing, but the error logging isn't very helpful in this case. What chain? Why is it using a chain if it doesn't need credentials because of the existing IAM policy?
TIA for any suggestions or troubleshooting advice!