Skip to content

UnrecognizedClientException: The security token included in the request is invalid' when pushing ECR image #465

New issue
New issue
Closed
Closed
UnrecognizedClientException: The security token included in the request is invalid' when pushing ECR image#465
@xyfoo

Description

@xyfoo
xyfoo
opened on Apr 21, 2022

Describe the bug

Encounter 'UnrecognizedClientException: The security token included in the request is invalid' when try to push ECR image

To reproduce

  1. Setup Azure DevOps service connection with only access key id & secret access key
  2. Use 'Amazon ECR Push' Task
  - task: ECRPushImage@1
    displayName: "Push docker image to AWS ECR"
    inputs:
      awsCredentials: "$(aws_azdo_svc_connection)"
      regionName: "$(aws_region)"
      sourceImageName: "$(docker_image_name)"
      sourceImageTag: "latest"
      repositoryName: "$(ecr_repo_name)"
      pushTag: "latest"
      logRequest: true
      logResponse: true
  1. Run pipeline
  2. Task failed
==============================================================================
Configuring credentials for task
...configuring AWS credentials from service endpoint '{redacted}'
...endpoint defines standard access/secret key credentials
Configuring region for task
...configured to use region us-east-1, defined in task.
Pushing image '{redacted}:latest'
Obtaining authentication token for ECR login
##[error]Error: Failed to obtain authorization token to log in to ECR, error: UnrecognizedClientException: The security token included in the request is invalid
Finishing: Push docker image to AWS ECR

Expected behavior

Image will be pushed to ECR

Your Environment

  • On-prem or cloud based?: Cloud
  • Azure DevOps version: N/A
  • AWS Toolkit for Azure DevOps version: 1.13.0 (Latest)

Additional context

  • Credentials was provide via Azure DevOps service connection
  • The IAM role has ecr.* permission assigned
  • Repository policy. Tried remove it, still doesn't work.
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Sid": "Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::{account-id}:user/{user-id}"
        ]
      },
      "Action": "ecr:*"
    }
  ]
}
  • I'm able to get auth token by running aws ecr get-authorization-token via CLI
  • I'm able to push image manually by running aws ecr get-login-password -region us-east-1 | docker ... via CLI
  • Updates (Apr 22)
    • It works when I setup the service connection with access key id, secret access key & session token from another account with identical permission set.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions