search

awslabs / amazon-ecr-credential-helper

Automatically gets credentials for Amazon ECR on docker push/docker pull
Apache License 2.0
2.5k stars 339 forks source link

Collaborating the credential-helper with aws SSO fails #573

Open JoshuaGhost opened 1 year ago

JoshuaGhost commented 1 year ago

I have been trying to collaborate the ecr + credential-helper and aws SSO authentication. Here is what i did and how it fails: First, i set up the sso-authentication with

aws configure sso-session

and 

aws configure sso

the automatically generated ~/.aws/config looks like this:

[sso-session my-sso]
sso_start_url = https://***
sso_region = ***
sso_registration_scopes = sso:account:access
[profile p1]
sso_session = my-sso
sso_account_id = ***
sso_role_name = ***
region = ***
output = json

I can now login using 

aws sso login --profile p1

Then i installed amazon-ecr-credential-helper under Ubuntu 20.04.6 LTS through go install. I also updated the ~/.docker/config.json according to the readme.md as follows:

{
  "credHelpers": {
    /*helper settings for other IaaS providers like GCP*/
    "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com/<ecr-registry-name>": "ecr-login"
  },
    "credsStore": "ecr-login"
}

But now after logging in using the sso, i can't push nor pull the image to/from the ECR. The error message says that i have "no basic auth credentials"

I could acually use the trick suggested here to get the password and re-direct it to the --password-stdin argument of docker login using the pipeline operator "|". But this command has the following side-effects:

  1. It removes my ~/.docker/config.json file and create a new one with only the auth passwords.
  2. It stores the password in ~/.docker/config.json file in (base64-encoded) plain text

I don't like either of these side-effects so could you please help me by telling me the most practical way of using the tool chain?

After searching on the internet and within the issues of this repo, i found this issue mentioned an influent ochestration of sso and credential helper. @austinvazquez suggested to update the credential-helper. But for me updating this doesn't resolve the problem.

Edit on 20.07.2023:

I re-install the newest version of credential-helper using go install, the error by the login changes to

Error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`

But the good news is, by removing the two configuration entries:

"credsStore": "ecr-login"

and

 "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com/<ecr-registry-name>": "ecr-login"

, i can finally login using the command with the pipeline operator "|". And my old docker config is not flushed. But the authentication token is still stored in plain text...

gopipal commented 8 months ago

You may need to docker logout "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com" since docker can cache old creds.

I am using the latest aws credentials helper and it works with aws sso

go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@latest
sudo cp $GOPATH/bin /usr/bin/.

This is my ~/.docker/config.json

{
    "credHelpers": {
        "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com": "ecr-login"
    }
}