Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AWS CLI v2 authentication to ECR

See original GitHub issue

Environment:

Jib version: 2.7.1
Build tool: Gradle 6.7.1
OS: Ubuntu 20.04

Description of the issue:

I have updated AWS CodeBuild image to Ubuntu 20.04 which ships with AWS CLI version 2. The new AWS CLI has changed ECR login and I cannot authenticate Jib build now.

Expected behavior:

Previously, I could authenticate the Jib to ECR by $(aws ecr get-login -no-include-email) and then call ./gradlew jib.

It has been deprecated now and recommended method is:

aws ecr get-login-password | docker login --username AWS --password-stdin MY-REGISTRY-URL (source)

How do I reproduce --password-stdin in Jib environment?

Thank you

Issue Analytics

State:
Created 2 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

3reactions

jakubgrubercommented, Apr 9, 2021

I have resolved the issue by rewriting the CI/CD pipeline. Your stackoverflow comment helped me a lot to understand how the authentication works.

AWS CLI v1:

$(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
chmod +x ./gradlew
./gradlew jib --image=$ECR_REPO_URI:$IMAGE_TAG

AWS CLI v2:

JIB_ECR_USERNAME=AWS
JIB_ECR_PASSWORD=$(aws ecr get-login-password --region $AWS_DEFAULT_REGION)
chmod +x ./gradlew
./gradlew jib --image=$ECR_REPO_URI:$IMAGE_TAG -Djib.to.auth.username=$JIB_ECR_USERNAME -Djib.to.auth.password=$JIB_ECR_PASSWORD

Hopefully, someone will find this usefull.

1reaction

chanseokohcommented, Apr 9, 2021

Thanks for the update. Very interesting. Just one thing, since you are passing the credentials on the command line, you may want to make sure that the command (hence the username and password) is not logged or stored in a shell history. You can easily eliminate the risk in Gradle, e.g., if you set jib.to.auth.username = System.getenv('JIB_ECR_USERNAME') in build.gradle.

However, the following is supposed to just work. With the right MY-REGISTRY-URL (should be the host[:port] portion of $ECR_REPO_URI), it does docker login, which will store the credentials for the registry into ~/.docker/config.json. Then Jib should be able to pick up the credentials for MY-REGISTRY-URL.

aws ecr get-login-password | docker login --username AWS --password-stdin MY-REGISTRY-URL

Top Results From Across the Web

Using Amazon ECR with the AWS CLI

Using Amazon ECR with the AWS CLI · Step 1: Create a Docker image · Step 2: Authenticate to your default registry ·...

get-login-password — AWS CLI 2.9.5 Command Reference

This command retrieves and displays an authentication token using the GetAuthorizationToken API that you can use to authenticate to an Amazon ECR registry....

New command for AWS CLI v2 to replace `aws ecr get-login ...

According to the documentation this can be replaced by running aws ecr get-login-password | docker login --username AWS --password-stdin ...

ECR docker login issues with CLI v2 #4962 - GitHub

mjsteinbaugh commented on Feb 14, 2020 edited ; aws_account_id="000000000000" aws_region="us-east-1" ; # Using AWS CLI 2. aws ecr get-login- ...

aws cli - What is the proper way to log in to ECR? - Server Fault

Tinkering around this seems to work well: aws ecr get-login-password | docker login -u AWS --password-stdin "https://$(aws sts ...