search

concourse / registry-image-resource

a resource for images in a Docker registry
Apache License 2.0
89 stars 107 forks source link

ECR login not working: Invalid header field value. #333

Closed AXington closed 1 year ago

AXington commented 1 year ago

Trying to set up Concourse at work for my team and push to an ECR repo. This is currently not working as I'm getting an error about an invalid header field for "Authorization".

I have verified that the aws_access_key_id and aws_secret_access_key combination works on my local terminal.

Here's my current resource definition (with the repository name changed).

- name: docker-image
  type: registry-image
  icon: docker
  source:
    aws_access_key_id: ((common.aws-access-key-id))
    aws_secret_access_key: ((common.aws-secret-access-key))
    aws_region: us-east-1
    repository: foo

For clarification, foo in this context is just the repository name, not the full uri. I have however, tried that, and many other combinations with the aws_region set to both us-east-1 and 012345678910.dkr.ecr.us-east-1.amazonaws.com (account number obviously changed, and using the example from the very poorly worded docs entry for aws_region).

Full error message and logs:

selected worker: concourse-worker-0

WARN[0000] ECR integration is experimental and untested 

ERRO[0000] failed to authenticate to ECR: RequestError: send request failed

caused by: Post "https://api.ecr.us-east-1.amazonaws.com/": net/http: invalid header field value for "Authorization" 

ERRO[0000] cannot authenticate with ECR

I've seen several issues where people have requested using roles attached to ec2 instances, but that keeps getting rejected. I also wonder why not add a field for the account number portion of the ecr repo, or just allow to fully specify the full path since this seems to cause a lot of confusion. I did try to search for other issues about this and found several about ECR in general but few if any seem to ever get resolved. What needs to be done to fix this? I'm half tempted to just write a script to do a docker push instead of relying on the 'put'. But what's the point of using concourse at that point and not just use Jenkins or some other pipeline as code solution?

quantumkisa commented 1 year ago

Hello, @AXington Have you resolved your issue somehow?

ritik872000 commented 1 year ago

Hi @AXington, in repository you need to pass the full path which you can get in ECR(open the image and copy the URI) paste that in your repository and pass the tag seperately for example.

URI : account_nr.dkr.ecr.eu-west-1.amazonaws.com/aws-credentials-resource:0.13.0

then

repository: account_nr.dkr.ecr.eu-west-1.amazonaws.com/aws-credentials-resource tag: 0.13.0

AXington commented 1 year ago

The issue actually lied in escaping the URI when it was stored in a Kube secret. We weren't using Vault or another secret manager, just straight kube secrets.