aws-actions
ECR Password Is Not Populated
Hello,
I am using the amazon-ecr-login to generate an ecr_username and ecr_password to use with a docker login as follows but the password doesn't seem to be populated
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
- name: Login to Amazon ECR
id: login_ecr
uses: aws-actions/amazon-ecr-login@v1
## and then
outputs:
ecr_username: ${{ steps.login_ecr.outputs.docker_username_<aws_acc_no>_dkr_ecr_eu_west_1_amazonaws_com }}
ecr_password: ${{ steps.login_ecr.outputs.docker_password_<aws_acc_no>_dkr_ecr_eu_west_1_amazonaws_com }}
I then reference them in a separate job like this
services:
container:
image: <aws_acc_no>.dkr.ecr.eu-west-1.amazonaws.com/<repo_name>/<container>:<short_sha>
credentials:
username: ${{ needs.build.outputs.ecr_username }}
password: ${{ needs.build.outputs.ecr_password }}
When printed out the username echos as AWS where as password does not, I suspected this was due to masking but I get this error
Error: .github/workflows/ci.yml (Line: 277, Col: 21): Unexpected value ''
Error: The template is not valid. .github/workflows/ci.yml (Line: 277, Col: 21): Unexpected value ''
As a way round this I ran the following in the workflow and it works
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
- name: get ECR username & password
id: extract_password
run: echo "##[set-output name=ecr_password_2;]$(aws ecr get-login-password)"
outputs:
ecr_password_2: ${{ steps.extract_password.outputs.ecr_password_2 }}
services:
container:
image: <aws_acc_no>.dkr.ecr.eu-west-1.amazonaws.com/<repo_name>/<container>:<short_sha>
credentials:
username: AWS
password: ${{ needs.build.outputs.ecr_password_2 }}
I'm not sure what's happening with password as it doesn't seem to be populated
As a further development we found that variabilization in the image actually causes a problem,i tested it with hardcoding the image value and the error still occurs
@kurtislamb so the issue is that a key (e.g. ecr_password) under the 'outputs' key doesn't populate if the value given to it is a secret, which the password outputted by the amazon-ecr-login action is while the username is not. I am currently looking for a workaround to see if it's possible.
@kurtislamb under one of your workflow runs, you should see a annotation with a warning that says something like "Skip output 'ecr_password' since it may contain secret."
As a workaround, if you use
uses: aws-actions/amazon-ecr-login@89d5285760003229ee37172dfefe56519ce76107
it will use the last tag before secrets were masked in https://github.com/aws-actions/amazon-ecr-login/pull/241
@kurtislamb @kylebyerly-hp the change removing the 'secret' status of the Docker password was just released.
@kurtislamb, Can you pls give it a try. @arjraman recently fixed this issue issue in version 1.5.1 and it should work now.
Use the following syntax in the yaml file as it automatically picks the latest version (1.X.X)
uses: aws-actions/amazon-ecr-login@v1
