Could not log in (please check credentials)

[v0ldemar01]

Describe the issue

Hey, I am trying the approach of assuming the role with OIDC provider. That is my configuration:

name: Continuous Delivery Development

on:
  pull_request:
    branches:
      - development
      - production

  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  cd:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Source Code
        uses: actions/checkout@v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
          role-session-name: GitHub_to_AWS_via_FederatedOIDC
          aws-region: ${{ secrets.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      # Hello from AWS: WhoAmI
      - name: Sts GetCallerIdentity
        run: |
          aws sts get-caller-identity

      - name: Build, tag, and push backend image
        uses: whoan/docker-build-with-cache-action@v5
        with:
          image_name: ${{ secrets.ECR_BACKEND_REPOSITORY }}
          registry: ${{ secrets.ECR_REGISTRY }}
          image_tag: ${{ github.sha }}
          context: ./
          dockerfile: ./backend/Dockerfile.development

name: Build, tag, and push backend image

I was trying to debug it via adding Hello from AWS: WhoAmI and it works fine. These errors appear regardless of Login to Amazon ECR step. I've tried to assign a maximum level of permissions to the role but it didn't help.
Also I attempted to use custom script instead of docker-build-with-cache-action

- name: Build, tag, and push backend image
   run: |
          docker build -f ./backend/Dockerfile.development -t ${{ github.sha }} .
          docker tag ${{ github.sha }}:latest ${{ secrets.ECR_REGISTRY }}/${{ secrets.ECR_BACKEND_REPOSITORY }}:${{ github.sha }}
          docker push ${{ secrets.ECR_REGISTRY }}/${{ secrets.ECR_BACKEND_REPOSITORY }}:${{ github.sha }}

Can you please assist me? Please let me know if you need more additional input data)

[peterwoodworth]

If get-caller-identity is returning the role you expect, then I suspect the cause of this error isn't due to our action. I see you've submitted an issue on the docker build repo, I was going to suggest that.

By the way, master isn't getting updated anymore - you either want v2 or main.

Edit: Just to make sure, this error is coming from the docker-build step, correct? I'm not sure what you mean by

These errors appear regardless of Login to Amazon ECR step.

[v0ldemar01]

@peterwoodworth I've tried with v2 and received the same result. Yep, the error is happening on Build, tag, and push backend image, I suppose it's due to incorrect token or I'm wrong. These errors appear regardless of Login to Amazon ECR step. - I have attempted to run job without ecr login step and it crashed with same error. Please let me know if you need more input data/

[peterwoodworth]

I have attempted to run job without ecr login step and it crashed with same error

If this step is the one that's causing the crash, then when you remove it which step throws the error and what do those workflow logs look like? Could you post a screenshot of this by any chance?

[v0ldemar01]

Sure, let me provide you the link to repo. So let's concentrate with included login ecr step. The github action config and of course the result of action. So the step Build, tag and push backend image fails with error:

An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
Error: Cannot perform an interactive login from a non TTY device

but previous ones of configure aws credentials and login to ecr are successful.
Also I put an screenshot of trusted entities form iam role

Permission policies:

[peterwoodworth]

This is strange, someone else reported a similar error recently where the credentials aren't being accepted in a subsequent workflow step. Could be a coincidence. Either way, I can't see anything going wrong with configure-aws-credentials in particular, especially if the aws-actions/amazon-ecr-login step succeeded. I won't have time for a while to try and reproduce your exact setup for a while, so I hope the folks who work on the action you're using are able to provide some insight.

[peterwoodworth]

@v0ldemar01 we launched v3 yesterday - in the other issue I linked someone mentioned it helped, give it a try?

[peterwoodworth]

@v0ldemar01 to make sure it's not something wrong with how we're passing around credentials, could you try taking our action out of it and manually supplying the credentials to the action that's failing, according to their documentation? If this works, then we can try to look into exactly how this action is trying to read credentials and see if we can cooperate with it better. If it doesn't work, then there's likely some other issue with your setup that doesn't have to do with the credentials themselves

[v0ldemar01]

@peterwoodworth I've tried your advice of v3 but it still has same error(. As for another comment, it's working properly while passing credentials instead of role

[peterwoodworth]

Ok so when you're passing credentials to the action directly, does this mean that you're running that workflow step with the role credentials, or with the entity that you assume the role with? Which credentials are you passing exactly?

[v0ldemar01]

So, on credentials I mean passing aws-access-key-id and aws-secret-access-key without role.

[v0ldemar01]

@peterwoodworth please let me know if you need more input data

[peterwoodworth]

If you're succeeding with only the access key and secret access key, then I think that means that your role doesn't have the proper permissions, and your user does. I meant that you try running the action with assumed role credentials, not your user. But since your user is succeeding, that indicates to me that the user has proper permissions but the role does not. You're trying to run the action with the role, so it is failing.

[v0ldemar01]

@peterwoodworth I've provided the screenshots of role and permission policy. I followed the official documentation. Maybe I was wrong with some points but I can't figure out where it is, can you advice me?

[kellertk]

Your debug logs for the check run show that the docker-build-with-cache action is attempting to log into ECR and failing. The log messages correspond with these lines in the docker action:

echo -e "\n[Action Step] Log in to registry..."
  if _has_value USERNAME "${INPUT_USERNAME}" && _has_value PASSWORD "${INPUT_PASSWORD}"; then
    _docker_login && return 0
    echo "Could not log in (please check credentials)" >&2
  else
    echo "No credentials provided" >&2
  fi
  not_logged_in=true
  echo "INFO: Won't be able to pull from private repos, nor to push to public/private repos" >&2

Earlier it tries to log into ECR:

_login_to_aws_ecr() {
  local array="[]"
  if _is_aws_ecr_public; then
    array=""
  fi
 _aws "$(_aws_ecr)" get-authorization-token --output text --query "authorizationData${array}.authorizationToken" |
   base64 -d | cut -d: -f2 | docker login --username AWS --password-stdin "$INPUT_REGISTRY"
}

Which is where the GetAuthorizationToken error would be coming from. The error you're getting is the generic error when your token is unauthorized or invalid. It looks like the docker build action you're using handles logging into ECR for you and is going to ignore anything that the AWS amazon-ecr-login action does, and notably it uses a different login method that the AWS action - instead the docker build action uses the AWS CLI, and the AWS action uses the JavaScript SDK. It's probably a good idea to pick one login method: either use amazon-ecr-login with mask-password: false and pass those credentials to the docker action, or use the docker action's native ECR support.

I also noticed that your most recent runs seem to be passing. Could you let us know what you've changed?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[v0ldemar01]

@kellertk Hey, I carefully looked at your comment and checked it I've attempted to run a custom script of docker building and pushing like

docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG  .
echo "Pushing image to ECR..."
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT

and it works fine. Thanks so much guys for helping

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.