amazon-ecr-credential-helper
amazon-ecr-credential-helper copied to clipboard
awslabs
Failed to get authorization token: NoCredentialProviders with brew installed package.
I've got errors while I use the package installed with brew install docker-credential-helper-ecr
$ AWS_PROFILE=xxx-xxx-xxx docker pull xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/debugger
Using default tag: latest
Error response from daemon: Get https://xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/v2/debugger/manifests/latest: no basic auth credentials
and the log in ~/.ecr/log/ecr-login.log
time="2020-06-18T10:55:10+08:00" level=debug msg="Could not fetch credentials for cache prefix, disabling cache" error="NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"
time="2020-06-18T10:55:10+08:00" level=debug msg="Retrieving credentials" region=us-east-2 registry=xxxxxxxxxx serverURL=xxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com
time="2020-06-18T10:55:10+08:00" level=debug msg="Calling ECR.GetAuthorizationToken" registry=xxxxxxxxxx
time="2020-06-18T10:55:11+08:00" level=error msg="Error retrieving credentials" error="ecr: Failed to get authorization token: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"
but when i uninstall it and build from source it work well.The packages have the same version 0.6.3 but different size:
-r-xr-xr-x 1 youqing staff 11180912 Jan 3 07:16 /usr/local/Cellar/docker-credential-helper-ecr/0.4.0/bin/docker-credential-ecr-login
-rwxr-xr-x 1 youqing staff 11137424 Jun 18 10:22 /usr/local/bin/docker-credential-ecr-login.bk
I can't get more infromation or additional debugging, any one who can give me some sugesstion?
Environemnt:
$ uname -a
Darwin Youqings-MacBook-Pro.local 17.7.0 Darwin Kernel Version 17.7.0: Wed May 27 17:00:02 PDT 2020; root:xnu-4570.71.80.1~1/RELEASE_X86_64 x86_64
$ brew --version
Homebrew 2.4.0
Homebrew/homebrew-core (git revision 22c2; last commit 2020-06-18)
Homebrew/homebrew-cask (git revision 15c5c; last commit 2020-06-18)
$ docker verion
Client: Docker Engine - Community
Version: 19.03.8
API version: 1.40
Go version: go1.12.17
Git commit: afacb8b
Built: Wed Mar 11 01:21:11 2020
OS/Arch: darwin/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.8
API version: 1.40 (minimum version 1.12)
Go version: go1.12.17
Git commit: afacb8b
Built: Wed Mar 11 01:29:16 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
Try switching from AWS_PROFILE to AWS_DEFAULT_PROFILE? I use aws-vault. For me, it was as simple as:
aws-vault exec {profile} -- docker pull xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/debugger
Hey @hanyouqing, I'm sorry that you're experiencing this issue. I'm not an expert in Mac OS or in Homebrew and I don't have a Mac to test with, so I don't know that I can provide you a solution. However, if you're able to tell me a bit more information and try a few things we might be able to narrow down where the problem is.
What version of Mac OS are you running?
Where are you sourcing your credentials? (The ~/.aws/credentials file? Environment variables? A credential_helper process? Using assume_role?)
What version of Go are you using when you build from source?
Looking at the formula, I don't see anything that stands out to me. It looks like the sources (including vendored dependencies) are checked out to buildpath/"src/github.com/awslabs/amazon-ecr-credential-helper" and then built with make build. Are you building with make (or make build) or directly with go build?
The file paths for the binaries are different and I know that this isn't typically a problem, but if you copy the binary installed at /usr/local/Cellar/docker-credential-helper-ecr/0.4.0/bin/docker-credential-ecr-login to /usr/local/bin/docker-credential-ecr-login does it start working? Or, does the binary you built stop working if you copy it into the Homebrew-managed directory?
Can you try running the credential helper directly instead of with Docker? You can cause it to get run like this:
docker-credential-ecr-login get <<< xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com/debugger
On Linux, I use strace to figure out when things aren't working as I expect. strace lets me see the syscalls that the program makes to the Linux kernel. I believe that a similar tool on Mac OS is dtruss, but I've never used it. If you're familiar with dtruss (or otherwise interested in trying it out), can you see if the credential helper is reading the expected files (~/.aws/credentials and ~/.aws/config) and executing any credential_process programs.
I seem to be experiencing this error too. I've got a profile with a credential_process.
I used dtruss, and I could see the ~/.aws/credentials file being opened, but weirdly, not the ~/.aws/config file. I tested what would happen if I commented out the credential_process line the ~/.aws/config file, and I got exactly the same error in the log files.
Ah, this is linked to #232. Once I added AWS_SDK_LOAD_CONFIG=true to my command line, the config file was read and my credential_process worked. Any chance of a new release to homebrew?
@chalford AFAIK, the maintainers need to package a release and then the rest of it should fall in place.
Sollution for me : Don't use capitals in ~/.aws/secrets This works:
[default]
aws_access_key_id=
aws_secret_access_key=
This doesn't:
[default]
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
