amazon-ecr-credential-helper icon indicating copy to clipboard operation
amazon-ecr-credential-helper copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Gitlab CI & Kaniko build error getting credentials from ECR

Open jordan85 opened this issue 3 years ago • 4 comments

Hello everybody,

I try to push to ECR my CI building with Kaniko but I have the following problem : Screen error :

E0323 20:23:21.609447      22 aws_credentials.go:100] error getting credentials from ECR for myaccount.dkr.ecr.eu-west-3.amazonaws.com NoCredentialProviders: no valid providers in chain. Deprecated.
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
error pushing image: failed to push to destination myaccount.dkr.ecr.eu-west-3.amazonaws.com/myproject:7eddba53af75: HEAD https://myaccount.dkr.ecr.eu-west-3.amazonaws.com/v2/myproject/blobs/sha256:9fdae33d52319a11cb86523712e48cf1f4682fb0239a: unsupported status code 401

~/.ecr/log/ecr-login.log :

time="2021-03-23T20:22:54Z" level=debug msg="Could not fetch credentials for cache prefix, disabling cache" error="NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"
time="2021-03-23T20:22:54Z" level=debug msg="Retrieving credentials" region=eu-west-3 registry=myaccount serverURL=myaccount.dkr.ecr.eu-west-3.amazonaws.com
time="2021-03-23T20:22:54Z" level=debug msg="Calling ECR.GetAuthorizationToken" registry=myaccount
time="2021-03-23T20:23:15Z" level=error msg="Error retrieving credentials" error="ecr: Failed to get authorization token: NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"

In my build environment my ~/.aws/credentials is ok and /kaniko/.docker/config.json is also ok ; during ci deployment I check file integrity with :

run cat ~/.aws/credentials
run cat /kaniko/.docker/config.json

I have the impression that my credentials are not consumed.

With the same account API AWS I can push docker image from my laptop, permissions in IAM are not a problem.

Do you have an idea?

Thanks and have a good day, Jordan

jordan85 avatar Mar 23 '21 21:03 jordan85

@jordan85 I'm getting the same issue as you have reported.. did you manage to fix this or know what could be causing this?.

invhariharan77 avatar Nov 24 '21 17:11 invhariharan77

If you are using multiple stages in your Dockerfile, Kaniko will remove your /root/.aws directory between each stage by default.

Adding --ignore-path=/root/.aws to the executor command will persist the .aws directory between stages.

ineentho avatar Dec 16 '21 14:12 ineentho

Appending docker login helped me resolve my issue.

printf "%s" "${DOCKER_PASSWORD}" | docker login -u ${DOCKER_USERNAME} --password-stdin ${DOCKER_REGISTRY}

masonhuemmer avatar Mar 18 '22 08:03 masonhuemmer

If you are using multiple stages in your Dockerfile, Kaniko will remove your /root/.aws directory between each stage by default.

Adding --ignore-path=/root/.aws to the executor command will persist the .aws directory between stages.

@ineentho

It works for me! I failed to push my multi-stage build image to ECR repository.

I'm using IRSA, so I ignored the path where WEB_IDENTITY_TOKEN placed and It worked.

yb-yu avatar May 03 '23 01:05 yb-yu