Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Unable to push to cross-account AWS ECR registry
See original GitHub issueBehaviour
Reference: https://github.com/davidski/test-docker/runs/1552032319?check_suite_focus=true
Pushes to AWS ECR work when the authenticating user is in the same AWS account as the repository, but do not work when the repository is in a different account (but the calling account has permissions).
I realize there is a containerd debug approach recommended, but I’m unsure how to apply that procedure to an AWS ECR location with its particular auth dance of AWS credentials for a docker login. If there’s guidance on how to do that, I’m happy to apply it and confirm where the problem lies.
Steps to reproduce this issue
- Setup a static user in ACCOUNT A with full permissions to ECR.
- Setup a repository in ACCOUNT B, giving ACCOUNT A full permissions at the account ID (root) level.
- Push process fails with a 401.
I have confirmed that using these static credentials (from ACCOUNT A) I can push to ACCOUNT B repos from a local Docker (MacOS) installation, verifying that permissions are correct.
Expected behaviour
Push should work, just as it does if the repository is in ACCOUNT A.
Actual behaviour
Push fails with a 401.
Configuration
- https://github.com/davidski/test-docker
- https://github.com/davidski/test-docker/runs/1552032319?check_suite_focus=true
name: Docker Image
on:
push:
branches:
- master
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Docker meta
id: docker_meta
uses: crazy-max/ghaction-docker-meta@v1
with:
images: ${{ secrets.AWS_ECR_REPOSITORY }}/docker-image
tag-sha: true
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
with:
buildkitd-flages: --debug
-
name: Set up containerd
uses: crazy-max/ghaction-setup-containerd@v1
- name: Login to AWS Elastic Container Registry
uses: docker/login-action@v1
with:
registry: ${{ secrets.AWS_ECR_REPOSITORY }}
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- name: Build and push
id: docker_build
uses: docker/build-push-action@v2
with:
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
- name: Dump context
if: always()
uses: crazy-max/ghaction-dump-context@v1
Logs
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @davidski!
It seems like this line is the issue in the
docker/login-actioncommand.get-loginwithout aregistry-idpassed in will log you into the default registry for the user. So, if I’m reading this correctly, your action (when using aws-cli-v1) is logging into your default registry, in this case ACCOUNT A, instead of the registry that you’re trying to login to in ACCOUNT B.We can look into the best way to fix the issue with the
docker/login-action, but in the meantime, you may want to try using the amazon-ecr-login action which shouldn’t have this issue.Just pinged the ECR team.