kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard
verified publisher icon GoogleContainerTools

Unable to use kaniko with OIDC Token

Open lxbrd opened this issue 2 years ago • 5 comments

Issue Description: I am encountering an issue while attempting to use the amazon-ecr-credential-helper in combination with an OIDC token for authentication. The goal is to push a Docker image to an Amazon ECR registry using Kaniko within a specific context. However, the process is failing with authentication errors.

Steps to Reproduce:

  1. Create the necessary directory structure and files:

    $ mkdir -p /kaniko/.aws
$ echo "${MY_OIDC_TOKEN}" > /kaniko/web_identity_token
$ echo -e "[default]\nrole_arn=${AWS_ROLE_ARN}\nweb_identity_token_file=/kaniko/web_identity_token" > /kaniko/.aws/config
$ mkdir -p /kaniko/.docker
$ echo "{\"credsStore\":\"ecr-login\"}" > /kaniko/.docker/config.json

  2. Execute Kaniko:

    $ /kaniko/executor --context "${CI_PROJECT_DIR}" --dockerfile "${CI_PROJECT_DIR}/Dockerfile" --destination "${ECR_REGISTRY}:${DOCKER_IMAGE_TAG}"

Expected Behavior: I expected the Kaniko process to authenticate successfully using the amazon-ecr-credential-helper with the provided OIDC token, and for the Docker image to be pushed to the specified Amazon ECR registry.

Actual Behavior: The Kaniko process is failing with the following error messages:

SDK 2023/08/08 14:47:55 WARN falling back to IMDSv1: operation error ec2imds: getToken, http response error StatusCode: 405, request to EC2 IMDS failed
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "000000000.dkr.ecr.us-east-1.amazonaws.com/test:kaniko-test-455a9c73": POST https://000000000.dkr.ecr.us-east-1.amazonaws.com/v2/test/blobs/uploads/: unexpected status code 401 Unauthorized: Not Authorized

Additional Information:

  • AWS IAM
        {
            "Action": [
                "ecr:UploadLayerPart",
                "ecr:PutImage",
                "ecr:InitiateLayerUpload",
                "ecr:GetDownloadUrlForLayer",
                "ecr:CompleteLayerUpload",
                "ecr:BatchGetImage",
                "ecr:BatchCheckLayerAvailability"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "ECR"
        },
        {
            "Action": "ecr:GetAuthorizationToken",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "ECRGetAuthorizationToken"
        }

Environment:

  • Kaniko Version: gcr.io/kaniko-project/executor:debug

Desired Solution: I would appreciate assistance in resolving this issue. Specifically, I am looking for guidance on how to properly configure and use kaniko with an OIDC token to authenticate for pushing Docker images to an Amazon ECR registry.

Thank you for your help!

lxbrd avatar Aug 08 '23 15:08 lxbrd

Running into the same issue, the OIDC token works with other tools and images but kaniko is not picking it up and running into auth issues

MichaelHindley avatar Aug 30 '23 08:08 MichaelHindley

This is really an important issue. I cannot install the AWS CLI on an image based on Kaniko either, so I cannot even assume the role and pass it to Kaniko.

nabouzidan-3as avatar Sep 11 '23 07:09 nabouzidan-3as

This is really an important issue. I cannot install the AWS CLI on an image based on Kaniko either, so I cannot even assume the role and pass it to Kaniko.

I've worked around this by using a separate job to exchange the OIDC credentials for environment values, and pass those to the kaniko job

MichaelHindley avatar Sep 15 '23 14:09 MichaelHindley

This is really an important issue. I cannot install the AWS CLI on an image based on Kaniko either, so I cannot even assume the role and pass it to Kaniko.

I've worked around this by using a separate job to exchange the OIDC credentials for environment values, and pass those to the kaniko job

yeah, I ended up doing the same thing. works, but not ideal.

nabouzidan-3as avatar Sep 17 '23 16:09 nabouzidan-3as

It should works with the config file but for now we can use AWS_WEB_IDENTITY_TOKEN_FILE from the aws-sdk to authenticate with ECR, here an example using gitlab-ci

The important part of this setup involves saving the value of the GITLAB_OIDC_TOKEN environment variable to the path that is defined in the AWS_WEB_IDENTITY_TOKEN_FILE environment variable. Additionally, you need to set the AWS_ROLE_ARN environment variable somewhere

build_image:
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: REPLACE_ME_WITH_THE_AUD
  variables:
    AWS_WEB_IDENTITY_TOKEN_FILE: /kaniko/gitlab-oidc-token
  before_script:
    - mkdir -p /kaniko/.docker
    - echo "{\"credsStore\":\"ecr-login\"}" > /kaniko/.docker/config.json
    - echo $GITLAB_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
  script:
    - /kaniko/executor --context "${CI_PROJECT_DIR}" --dockerfile Dockerfile --destination "${ECR_REPO_URI}:${CI_COMMIT_SHORT_SHA}"
  after_script:
    - cat ~/.ecr/log/ecr-login.log

nesty92 avatar Jan 22 '24 08:01 nesty92