aws-runas icon indicating copy to clipboard operation
aws-runas copied to clipboard

Published 20 hours ago verified publisher icon mmmorris1975

Support podman for ECR authentication

Open kebeda opened this issue 2 years ago • 4 comments

Don't have docker, only have podman 4+ installed on my machine. It has been working less well over time, as the version numbers keep going up. As of aws-runas 3.3.2 this is the situation:

aws-runas ecr login my_profile ECR-endpoint-1 ECR-endpoint-2...

results in:

2022/04/27 09:16:50 authentication failed

Doing it the old school way:

aws-runas my_profile aws ecr get-login-password --region my_region | podman login --username AWS --password-stdin ECR-endpoint-1

Never works on the first try, sometimes works on the second try, and is a little bit more reliable if you break the commands up instead of piping the output of one into the other. The output when this fails is:

2022/04/27 09:20:50 authentication failed Password: Error: getting username and password: reading password: inappropriate ioctl for device

Please make this work with podman as well as it used to again.

kebeda avatar Apr 27 '22 14:04 kebeda

Looks like specifying a region when making the ECR GetAuthorizationToken call should get this working again. I was able to replicate the error with docker as well. I think we can get this fixed up pretty quick, and should have something for you to test today

mmmorris1975 avatar Apr 27 '22 16:04 mmmorris1975

3.3.3 should fix this. Give it a try and let me know if that solves the issue, and we can remove the pre-release flag for it.

mmmorris1975 avatar Apr 27 '22 17:04 mmmorris1975

3.3.3 doesn't give me the "authentication failed" message, but it does still give me the "inappropriate ioctl for device message", no dice :(

In fact, just running aws ecr get-login-password yields:

2022/04/29 16:45:07 expected response content not found

kebeda avatar Apr 29 '22 21:04 kebeda

It looks like the "inappropriate ioctl" message happens because there was no data on stdin when the docker login command is exec'd from inside aws-runas. Meaning something was goofy when getting the ECR auth token, but not goofy enough to actually raise an AWS API or base64 decoding error.

What's interesting is that you can stimulate a failure to get ECR auth data with awscli, which means that aws-runas is only acting on the IAM/STS API, and not ECR. I'm still working to induce a failure when doing aws-runas my_profile aws ecr get-login-password so I can see what's going on. If you are able to reliably get the awscli command to fail, could you add the --debug flag at the very end of the awscli command, maybe that would give us a better understanding of where the issue may be?

mmmorris1975 avatar Apr 30 '22 16:04 mmmorris1975