aws-toolkit-azure-devops
aws-toolkit-azure-devops copied to clipboard
Published
20 hours ago •
aws
aws
ECRPushImage - Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException
Describe the bug
I get the following error when using the ECRPushImage@1 task to push and image to my AWS ECR.
Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException: The security token included in the request is invalid
The full log in Azure DevOps looks like this
Starting: ECRPushImage
==============================================================================
Task : Amazon ECR Push
Description : Push a Docker image to an Amazon Elastic Container Registry on AWS
Version : 1.14.0
Author : Amazon Web Services
Help : Please refer to [Amazon Elastic Container Registry](https://docs.aws.amazon.com/AmazonECR/latest/userguide/) documentation for working with this service.
More information on this task can be found in the [task reference](https://docs.aws.amazon.com/vsts/latest/userguide/ecr-pushimage.html).
####Task Permissions
This task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):
* ecr:DescribeRepositories
* ecr:CreateRepository
* ecr:GetAuthorizationToken
==============================================================================
Configuring credentials for task
...configuring AWS credentials from service endpoint '[redacted]'
...configuring AWS credentials from service endpoint '[redacted]'
...endpoint defines role-based credentials for role ***.
Configuring region for task
...configured to use region ap-southeast-4, defined in task.
Pushing image 'discord-musicbot:89'
Obtaining authentication token for ECR login
##[error]Error: Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException: The security token included in the request is invalid
Finishing: ECRPushImage
To reproduce
- Use the following task in azure-pipelines.yml
- task: ECRPushImage@1
inputs:
awsCredentials: "AWS ECR"
regionName: $(AWS_REGION)
imageSource: "imagename"
sourceImageName: $(DOCKER_REPOSITORY_NAME)
sourceImageTag: $(tag)
pushTag: latest
repositoryName: $(DOCKER_REPOSITORY_NAME)
- Create a user in IAM
- Create a role and assign it the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "[redacted - ECR ARN]"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
}
]
}
Expected behavior
Obtaining an authentication token for ECR login should be successful and the image should be pushed to the container repository.
Screenshots
Your Environment
- All cloud-based
- Azure DevOps version: Version Dev19.M234.1 (AzureDevOps_M234_20240224.1)
- AWS Toolkit for Azure DevOps version: 1.14.0
Additional context
- Created an IAM user called
Azure-DevOpsand created an access key and secret. Those have been put into the service connection in Azure DevOps. - Created a role and I'm using assume role in the service connection (the role's ARN). The role has the following trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[redacted]:user/Azure-DevOps"
},
"Action": "sts:AssumeRole"
}
]
}
- The region of my repository is
ap-southeast-4(Melbourne) - My user, role and policy are in the default us-east-1 region
- I have tried giving my role and the policy literally ALL permissions to everything
["*"]but it changes nothing - According to the user section in IAM, the access key is being used (last used one hour ago, etc)
- I have looked at every slightly-related Github issue and searched dozens of pages from Google and Bing. Tried everything for days.
