Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Login doesn't support using EC2 instance credentials with ECR login

See original GitHub issue

Behaviour

I am using self-hosted runners with an IAM role attached (with ECR permissions) and the login action fails.

Steps to reproduce this issue

Create a self hosted runner with IAM role attached (with ECR permissions)
Create a workflow with uses: docker/login-action@v1
Try to run the workflow

Expected behaviour

The login should use the EC2 instance credentials and login to ECR.

Actual behaviour

The login action fails

Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

IMO the action should not attempt to overwrite the env vars for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in this case.

I can make it work using this manual run step:

- name: ECR login
  run: |
    aws ecr get-login-password | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com

Configuration

Repository URL (if public): private
Build URL (if public): private

- name: ECR login
  uses: docker/login-action@v1
  with:
    registry: <aws-account-id>.dkr.ecr.<aws-region>.amazonaws.com

Logs

Sorry private repo, I can’t share the logs.

Issue Analytics

State:
Created 2 years ago
Reactions:2
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

Flydivernycommented, Dec 6, 2021

I did some testing to simulate what happens in the login-action

Given this step below I will get the expected output (running on a self-hosted runner)

      - uses: actions/github-script@v5
        with:
          script: |
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

{
    "UserId": "REDACTED:i-REDACTED",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACTED:assumed-role/REDACTED/i-REDACTED"
}

Where as if I added the process.env vars as the login-action does here the step fails

      - uses: actions/github-script@v5
        with:
          script: |
            let username = ''
            let password = ''
            process.env.AWS_ACCESS_KEY_ID = username || process.env.AWS_ACCESS_KEY_ID;
            process.env.AWS_SECRET_ACCESS_KEY = password || process.env.AWS_SECRET_ACCESS_KEY;
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
Error: Unhandled error: Error: The process '/usr/local/bin/aws' failed with exit code 254

a simple change to how we set the env vars should resolve it

      - uses: actions/github-script@v5
        with:
          script: |
            let username = ''
            let password = ''
            if (username) {
              process.env.AWS_ACCESS_KEY_ID = username;
            }
            if (password) {
              process.env.AWS_SECRET_ACCESS_KEY = password;
            }
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

Which will get me my EC2 credentials again 😃

Created a PR #114

0reactions

nitrocodecommented, Aug 3, 2021

I’m running into the same issue.

@crazy-max

Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars are wrong or not propagated to the action on your self-hosted runner.

If the self hosted running is using an IAM role then these environment variables would not be set as the EC2 should reuse the IAM role for authentication, no ?

Top Results From Across the Web

Private registry authentication - Amazon ECR

To authenticate Docker to an Amazon ECR registry with get-login-password, run the aws ecr get-login-password command. When passing the authentication token ...

Problem in getting result from 'aws ecr get-login' - Stack Overflow

My admin has given me access for this 'GetAuthorizationToken' resource. Most probably what I think the problem is 'arn:aws:iam::314xxxx91079: ...

amazon web services - Error to login ecr docker - Server Fault

I'm following the documentation that aws provides, but still to no avail. Command login. aws ecr get-login-password \ --region REGION \ | docker ......

AWS EC2 Container Registry (ECR) Support - CircleCI

AWS ECR provides a Docker registry service, but it doesn't provide proper docker login credentials. Instead, per the AWS CLI Docs, ...

Resolve "Unable to locate credentials" error in Amazon S3

An "Unable to locate credentials" error indicates that Amazon S3 can't find the credentials to authenticate AWS API calls. To resolve this issue,...