aws-toolkit-azure-devops icon indicating copy to clipboard operation
aws-toolkit-azure-devops copied to clipboard

Published 20 hours ago verified publisher icon aws

error parsing HTTP 403 response body: unexpected end of JSON input: "" when push image to ecr

Open sharkguto opened this issue 5 years ago • 7 comments

Describe the bug I can not upload my image from azure devops to aws ecr

To reproduce

2019-11-28T18:34:36.0850956Z ##[section]Starting: Push Image: latest 2019-11-28T18:34:36.0854117Z ============================================================================== 2019-11-28T18:34:36.0854220Z Task : Amazon ECR Push 2019-11-28T18:34:36.0854276Z Description : Push a Docker image to an Amazon Elastic Container Registry on AWS 2019-11-28T18:34:36.0854352Z Version : 1.5.0 2019-11-28T18:34:36.0854400Z Author : Amazon Web Services 2019-11-28T18:34:36.0854537Z Help : Please refer to Amazon Elastic Container Registry documentation for working with this service.

More information on this task can be found in the task reference.

####Task Permissions This task requires permissions to call the following AWS service APIs (depending on selected task options, not all APIs may be used):

  • ecr:DescribeRepositories
  • ecr:CreateRepository
  • ecr:GetAuthorizationToken 2019-11-28T18:34:36.0854910Z ============================================================================== 2019-11-28T18:34:36.4034903Z Configuring credentials for task 2019-11-28T18:34:36.4040620Z 91a5d750-74c1-47c1-9738-38125f5bf13a exists true 2019-11-28T18:34:36.4042384Z ...configuring AWS credentials from service endpoint '91a5d750-74c1-47c1-9738-38125f5bf13a' 2019-11-28T18:34:36.4042487Z ...endpoint defines standard access/secret key credentials 2019-11-28T18:34:36.4065167Z Configuring region for task 2019-11-28T18:34:36.4068292Z ...configured to use region us-east-1, defined in task. 2019-11-28T18:34:36.4159990Z Pushing image 'brasil317-odin-svc:latest' 2019-11-28T18:34:36.4164294Z Obtaining authentication token for ECR login 2019-11-28T18:34:37.2408133Z Testing existence of repository 'brasil317-odin-svc' 2019-11-28T18:34:37.7461702Z Adding tag '999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest' to image 'brasil317-odin-svc:latest' 2019-11-28T18:34:37.7463673Z Invoking '/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker' with command 'tag' 2019-11-28T18:34:37.7479916Z [command]/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker tag brasil317-odin-svc:latest 999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest 2019-11-28T18:34:37.7720571Z Invoking '/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker' with command 'login' 2019-11-28T18:34:39.0661318Z Pushing image '999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest' to Elastic Container Registry 2019-11-28T18:34:39.0662011Z Invoking '/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker' with command 'push' 2019-11-28T18:34:39.0687661Z [command]/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker push 999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc:latest 2019-11-28T18:34:39.0952156Z The push refers to repository [999999999999.dkr.ecr.us-east-1.amazonaws.com/brasil317-odin-svc] 2019-11-28T18:34:39.5776826Z 8fb7077905f4: Preparing 2019-11-28T18:34:39.5778400Z 5534385be237: Preparing 2019-11-28T18:34:39.5778547Z 0dadcf4d9cca: Preparing 2019-11-28T18:34:39.5778664Z 7aec04de5457: Preparing 2019-11-28T18:34:39.5779016Z a74cc5d23d85: Preparing 2019-11-28T18:34:39.5779350Z 975d2c9c8b2c: Preparing 2019-11-28T18:34:39.5779530Z 4cc0dcd1fc04: Preparing 2019-11-28T18:34:39.5779694Z ff069951ece4: Preparing 2019-11-28T18:34:39.5779915Z ade02cbbac9a: Preparing 2019-11-28T18:34:39.5780072Z e36299e0cdf7: Preparing 2019-11-28T18:34:39.5780361Z 1be02b18dfe7: Preparing 2019-11-28T18:34:39.5780520Z 831c5620387f: Preparing 2019-11-28T18:34:39.5780735Z ff069951ece4: Waiting 2019-11-28T18:34:39.5780897Z ade02cbbac9a: Waiting 2019-11-28T18:34:39.5781337Z e36299e0cdf7: Waiting 2019-11-28T18:34:39.5781499Z 1be02b18dfe7: Waiting 2019-11-28T18:34:39.5781709Z 831c5620387f: Waiting 2019-11-28T18:34:39.5781866Z 975d2c9c8b2c: Waiting 2019-11-28T18:34:39.5782021Z 4cc0dcd1fc04: Waiting 2019-11-28T18:34:42.1361943Z error parsing HTTP 403 response body: unexpected end of JSON input: "" 2019-11-28T18:34:42.1473731Z ##[error]Error: The process '/opt/hostedtoolcache/docker-stable/17.9.0-ce/x64/docker' failed with exit code 1 2019-11-28T18:34:42.1485598Z ##[section]Finishing: Push Image: latest

Expected behavior should work upload image to ecr

Screenshots image

image image image

Your Environment Azure Devops with latest version

Additional context

sharkguto avatar Nov 28 '19 18:11 sharkguto

That message is coming from docker, it was unable to connect to the repository and got a 403. This probably indicates an issue with your credentials.

hunterwerlla avatar Dec 02 '19 16:12 hunterwerlla

I just spent the evening determining the absolute minimum set of permissions to do a docker push to ecr. I'm here because I was also getting the JSON error, but it turned out to be buggy error reporting hiding missing permissions (source of hint). Below are the needed permissions. Be sure to replace ${REGION}, ${ACCONT_ID} and ${REGISTRY_NAME} accordingly (the arn there is the ECR registry arn).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ],
      "Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}"
    },
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}

rainabba avatar May 05 '20 06:05 rainabba

This worked for me. Thank you.

SanthoshKJagadish avatar May 19 '21 13:05 SanthoshKJagadish 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecr:BatchGetImage",
        "ecr:BatchCheckLayerAvailability",
        "ecr:CompleteLayerUpload",
        "ecr:DescribeImages",
        "ecr:DescribeRepositories",
        "ecr:GetDownloadUrlForLayer",
        "ecr:InitiateLayerUpload",
        "ecr:ListImages",
        "ecr:PutImage",
        "ecr:UploadLayerPart"
      ],
      "Resource": "arn:aws:ecr:${REGION}:${ACCOUNT_ID}:repository/{$REGISTRY_NAME}"
    },
    {
      "Effect": "Allow",
      "Action": "ecr:GetAuthorizationToken",
      "Resource": "*"
    }
  ]
}

Helped with finally get it working, thanks!

hronix avatar Oct 22 '21 17:10 hronix

https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html

guonengamazon avatar Oct 29 '21 11:10 guonengamazon

I got the exact same issue when I was trying to push an image to AWS lightsail. I even re-install the docker, reset docker settings. But none of those things worked. Then I deactivated the python virtual environment and then tried the same command. Then it pushed the image and registered in AWS. It's strange, but it worked finally.

ranmalmendis avatar Oct 03 '23 05:10 ranmalmendis