amazon-ecr-plugin icon indicating copy to clipboard operation
amazon-ecr-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Documentation unclear on how to create ECR credentials

Open cfsb-jrose opened this issue 1 year ago • 2 comments

Describe your use-case which is not covered by existing documentation.

Documentation references credential-id but doesn't actually specify how the plugin creates the credential or if it needs to be made manually. Also, there is no documentation on how to use with temporary credentials.

Reference any relevant documentation, other materials or issues/pull requests that can be used for inspiration.

No response

Are you interested in contributing to the documentation?

No response

cfsb-jrose avatar Aug 20 '24 02:08 cfsb-jrose

This plugin has a dependency on https://plugins.jenkins.io/aws-credentials/ and those are the credentials it can use. Patches to documentation to make this clearer welcome.

TobiX avatar Aug 20 '24 11:08 TobiX

OK, so I have Jenkins running in ECS and the IAM role associated with the task has all the permissions that are needed. Is the expectation that I create an AWS credentials and provide as registryCredentialsId with value "ecr:us-east-1:credential-id" where credential-id is the actual credential Id set in Jenkins?

cfsb-jrose avatar Sep 17 '24 21:09 cfsb-jrose

Hello,

I am getting the following error when I try to use the recommended actions cited above:

java.lang.NullPointerException: Access key ID cannot be blank.
	at PluginClassLoader for aws-java-sdk2-core//software.amazon.awssdk.utils.Validate.notNull(Validate.java:119)
	at PluginClassLoader for aws-java-sdk2-core//software.amazon.awssdk.auth.credentials.AwsBasicCredentials.<init>(AwsBasicCredentials.java:68)
	at PluginClassLoader for aws-java-sdk2-core//software.amazon.awssdk.auth.credentials.AwsBasicCredentials.<init>(AwsBasicCredentials.java:43)
	at PluginClassLoader for aws-java-sdk2-core//software.amazon.awssdk.auth.credentials.AwsBasicCredentials$Builder.build(AwsBasicCredentials.java:238)
	at PluginClassLoader for aws-java-sdk2-core//software.amazon.awssdk.auth.credentials.AwsBasicCredentials.create(AwsBasicCredentials.java:100)
	at PluginClassLoader for aws-credentials//com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.resolveCredentials(AWSCredentialsImpl.java:170)
	at PluginClassLoader for aws-credentials//com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl.getCredentials(AWSCredentialsImpl.java:236)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1295)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:869)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:818)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:805)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:779)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:735)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:717)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:581)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:559)
	at PluginClassLoader for aws-java-sdk-ecr//com.amazonaws.services.ecr.AmazonECRClient.doInvoke(AmazonECRClient.java:3770)
	at PluginClassLoader for aws-java-sdk-ecr//com.amazonaws.services.ecr.AmazonECRClient.invoke(AmazonECRClient.java:3737)
	at PluginClassLoader for aws-java-sdk-ecr//com.amazonaws.services.ecr.AmazonECRClient.invoke(AmazonECRClient.java:3726)
	at PluginClassLoader for aws-java-sdk-ecr//com.amazonaws.services.ecr.AmazonECRClient.executeGetAuthorizationToken(AmazonECRClient.java:1939)
	at PluginClassLoader for aws-java-sdk-ecr//com.amazonaws.services.ecr.AmazonECRClient.getAuthorizationToken(AmazonECRClient.java:1907)
	at PluginClassLoader for amazon-ecr//com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential.getPassword(AmazonECSRegistryCredential.java:157)
	at PluginClassLoader for amazon-ecr//com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryTokenSource.convert(AmazonECSRegistryTokenSource.java:52)
	at PluginClassLoader for amazon-ecr//com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryTokenSource.convert(AmazonECSRegistryTokenSource.java:37)
	at PluginClassLoader for authentication-tokens//jenkins.authentication.tokens.api.AuthenticationTokens.convert(AuthenticationTokens.java:148)
	at PluginClassLoader for authentication-tokens//jenkins.authentication.tokens.api.AuthenticationTokens.convert(AuthenticationTokens.java:110)
	at PluginClassLoader for docker-commons//org.jenkinsci.plugins.docker.commons.credentials.DockerRegistryEndpoint.getToken(DockerRegistryEndpoint.java:237)
	at PluginClassLoader for docker-commons//org.jenkinsci.plugins.docker.commons.credentials.DockerRegistryEndpoint.newKeyMaterialFactory(DockerRegistryEndpoint.java:310)
	at PluginClassLoader for docker-workflow//org.jenkinsci.plugins.docker.workflow.RegistryEndpointStep$Execution2.newKeyMaterialFactory(RegistryEndpointStep.java:97)
	at PluginClassLoader for docker-workflow//org.jenkinsci.plugins.docker.workflow.AbstractEndpointStepExecution2.doStart(AbstractEndpointStepExecution2.java:52)
	at PluginClassLoader for workflow-step-api//org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)

I do not have an IAM user. I am running Jenkins inside ECS and the associated task role has the necessary permissions to authenticate with ECR. Please advise.

cfsb-jrose avatar Jan 15 '25 22:01 cfsb-jrose

That sounds like a different issue altogether, please open a new issue. (Probably because https://plugins.jenkins.io/aws-credentials/ updated to AWS SDK 2.x and this plugin didn't)

PS: Personally, I switched to https://github.com/isometry/docker-credential-env instead of using this plugin, maybe this works for you, too?

TobiX avatar Jan 15 '25 23:01 TobiX

Created https://github.com/jenkinsci/amazon-ecr-plugin/issues/194 as requested

cfsb-jrose avatar Jan 16 '25 14:01 cfsb-jrose