amazon-ecr-credential-helper icon indicating copy to clipboard operation
amazon-ecr-credential-helper copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Document limitations with `docker build`

Open samuelkarp opened this issue 3 years ago • 6 comments

docker build requires credentials to be known up-front rather than on-demand as specified in the FROM lines. This means that the credential helper needs to guess what credentials might be required and serve them ahead of being asked. This guessing is accomplished by inspecting the previously-referenced registries that are stored in the cache file and populating those as the output of docker-credential-ecr-login list.

In some cases, the credential helper may be asked to run the list command even when there is no cache file. In that instance, if the credential helper can determine a region it will return the registry belonging to the calling AWS account in that region. However, if there is no region specified the credential helper will return an empty list.

In some cases, the image referenced in the FROM line in the Dockerfile may exist in a registry that has not been referenced before. In that case the pull will fail, as the credential helper has not returned it in the output of the list command.

The behavior today causes confusion and should be better documented.

samuelkarp avatar Dec 22 '20 19:12 samuelkarp

In some cases, the image referenced in the FROM line in the Dockerfile may exist in a registry that has not been referenced before. In that case the pull will fail, as the credential helper has not returned it in the output of the list command.

I think I'm running into this issue. Is this considered a bug that will be fixed? Is there a workaround?

The workaround I thought of was just doing a docker login for the registry that has not been referenced before. However I'm using this helper almost exclusively when running docker build, not docker login; therefore the docker login` workaround would probably make this helper redundant for me.

cwiggs avatar Jan 21 '21 23:01 cwiggs

I was able to workaround this issue by adding the aws accounts to the ~/.docker/config.json e.g.:

{
	"credHelpers": {
		"1234567.dkr.ecr.us-east-1.amazonaws.com": "ecr-login",
		"7654321.dkr.ecr.us-east-1.amazonaws.com": "ecr-login"
	}
}

cwiggs avatar Jan 22 '21 18:01 cwiggs

I think I'm running into this issue. Is this considered a bug that will be fixed? Is there a workaround?

Hey @cwiggs! As of now, I don't have a proposal for fixing it; it'd likely require changes in the behavior of docker build to only request the specific credentials each build requires rather than requesting all available credentials.

samuelkarp avatar Feb 17 '21 02:02 samuelkarp

@samuelkarp Understood. Perhaps an update to the readme to include my workaround would be helpful to others?

I know the readme already talks about setting up the ~/.docker/config.json file to handle auth differently for different registries, I was thinking of adding on an explanation about adding your registries to the file to eliminate the issue with the docker build limitations.

I'd be happy to create a PR, let me know if you think that makes sense.

cwiggs avatar Feb 18 '21 18:02 cwiggs

I'd be happy to take PR adding documentation about this! This issue is here to remind me to do it, but it's always nice when folks volunteer to help.

samuelkarp avatar Feb 18 '21 18:02 samuelkarp

I found a new workaround that works for me. Simply enable BuildKit, and it works without docker pull first.

> cat /root/.docker/config.json
{"credsStore": "ecr-login"}

> head -n 1 Dockerfile
FROM 489478819445.dkr.ecr.eu-west-1.amazonaws.com/amazoncorretto:11-alpine-jre

> DOCKER_BUILDKIT=1 docker build -t 123456789.dkr.ecr.eu-west-1.amazonaws.com/myimage:mytag .
#1 [internal] load build definition from Dockerfile
#1 sha256:8e78ef88e8f35fb998b916469e1ca845afce63127f2ae878f918a22f030e2c8b
#1 transferring dockerfile: 322B done
#1 DONE 0.1s

#3 [internal] load metadata for 489478819445.dkr.ecr.eu-west-1.amazonaws.com/amazoncorretto:11-alpine-jre
#3 sha256:001794336bc3d7b6812b610f1162fa09f5468ed8386085973d55dac1ae438886
#3 ...

#4 [auth] sharing credentials for 489478819445.dkr.ecr.eu-west-1.amazonaws.com
#4 sha256:5a1da2b1dfc3998caa7afcc96562cb736397cfd0acbe7d44170e72ef352884b3
#4 DONE 0.0s

#3 [internal] load metadata for 489478819445.dkr.ecr.eu-west-1.amazonaws.com/amazoncorretto:11-alpine-jre
#3 sha256:001794336bc3d7b6812b610f1162fa09f5468ed8386085973d55dac1ae438886
#3 DONE 0.4s

#5 [1/3] FROM 489478819445.dkr.ecr.eu-west-1.amazonaws.com/amazoncorretto:11-alpine-jre@sha256:316fd735d78b64fc0163d971ddaed3d8b15fbc1c4c6ae8da49d40cafdc2414b8
#5 sha256:83b27892fcb17a81d34b9fb9d836e0e6e2979b9741d1d114d3c0022e0721d326
#5 resolve 489478819445.dkr.ecr.eu-west-1.amazonaws.com/amazoncorretto:11-alpine-jre@sha256:316fd735d78b64fc0163d971ddaed3d8b15fbc1c4c6ae8da49d40cafdc2414b8 done
#5 sha256:316fd735d78b64fc0163d971ddaed3d8b15fbc1c4c6ae8da49d40cafdc2414b8 740B / 740B done
#5 ...

larstobi avatar Mar 10 '22 09:03 larstobi