-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
List command relies on a region being specified #63
Comments
Just as some background, we're trying to use the credential helper on our Gitlab CI runners so there is no interactive session to specify the region. You can see how they have implemented it here: Appears to be using the docker SDK to list all credentials that the helpers can provide. From #28 it appears you have to set the region via an environment variable - but I don't see how this is possible when the credential helper is executed in this manner. Also as a side note I've tried specifying the region in ~/.aws/config but this doesn't work either - it only gets detected if I manually execute the credential helper in a shell. |
I also have this problem. some machine is ok, other see "Could not list credentials: MissingRegion: could not find region configuration". The config is the same. |
Hi, I find the way to solve this issue.
Then you can login the ECR long long. |
@Tomdarkness the problem is list command doesn't provide a region info but AWS sdk requires. Without specified region, AWS sdk reads it from either AWS_REGION or ~/.aws/config if AWS_SDK_LOAD_CONFIG is set. Either way requires an env variable. You can set it in the /env/environment on Ubuntu. |
@gengmao Thanks, but it seems that I can't set the environment in which the credential helper is executed. As mentioned above, the credential helper is being executed using the docker SDK via the Gitlab CI runner. I've tried setting the environmental variables in the environment in which the runner itself executes but these don't seem to get inherited by the environment the credential helper is executed and it doesn't appear that Docker exposes any way for configuring the environment. Ideally it would be great if the list command could just automatically return all registries, regardless of region, the current credentials can access. |
Or at least provide a way of configuring the region without having to manipulate the environment the helper is executed in. |
@Tomdarkness Apologies for the delayed response here. As @gengmao explained, the credential helper needs to know what region it should use in order to get credentials for the default registry in that region. However, if you know the set of registries you'll be authenticating against, you can work around this issue and configure the credential helper to use those registries in the
This isn't possible. The set of registries that a given set of credentials can access is dependent both on policies applied to the credentials as well as policies applied to the resources that you're accessing (the repository in question); the policies can also include conditionals that allow access under different scenarios (time-based access, requiring MFA, etc). The IAM policy reference has a fairly detailed explanation of different ways you can configure policies. Additionally, if ECR did have a way to enumerate the access that a set of credentials has, it would risk exposing customers who had accidentally configured their repositories to allow more access than they had desired. With that said, I do think there are a few ways we can have better default behavior:
I believe we'd be open to a pull request implementing the first approach above and would be happy to have discussion about whether the second approach is appropriate or not. |
@Tomdarkness As I said on GitLab Runner - I've got this working. I don't know if you want to continue working towards getting it working with extra config before modifying this helper? |
I don't really understand the logic from @samuelkarp here. To me, the critical step is step 4 from @HrmesWorld (i actually don't need to run
My experience of this bug is I can't build a Dockerfile which uses |
@joshk0 Did you solve your issue? I've the same problem (using GitLab CI). I run GitLab CI script which uses Docker. Inside the docker container, I'm trying to build an image but it fails at FROM xxx.dkr.ecr.eu-central-1.amazonaws.com. |
I met the same problem as @joshk0 , I have to set AWS_REGION=us-west-2 in order to fix this. |
I had the same issue. I did this and work: #$(aws ecr get-login --no-include-email --region sa-east-1) #docker pull xxxxx.dkr.ecr.sa-east-1.amazonaws.com:xxxxxx modify the ~/.docker/config.json to and again: #docker pull xxxxx.dkr.ecr.sa-east-1.amazonaws.com:xxxxxx #docker-credential-ecr-login list you should get: {"https://xxxxxx.dkr.ecr.sa-east-1.amazonaws.com":"AWS"} it will create the file ~/.ecr/cache.json thanks @HrmesWorld ! |
Running docker pull first before docker build worked for me. Otherwise it would show a no auth error. |
For y'all gitlab users with ecr-login failing unless the token is cached, check out this issue to see if it's related. I just submitted a merge request that I think may help. |
I've been bitten by this when trying to setup Gitlab Runner using an official repository. The installation process, by default, executes [ssm-user@<ip> bin]$ sudo systemctl cat gitlab-runner | grep ExecStart
ExecStart=/usr/lib/gitlab-runner/gitlab-runner "run" "--working-directory" "/home/gitlab-runner" "--config" "/etc/gitlab-runner/config.toml" "--service" "gitlab-runner" "--syslog" "--user" "gitlab-runner" Hence, providing environment variables via sudo mkdir --parents /etc/systemd/system/gitlab-runner.service.d/
sudo touch /etc/systemd/system/gitlab-runner.service.d/local.conf
sudo tee /etc/systemd/system/gitlab-runner.service.d/local.conf > /dev/null << EOL
[Service]
Environment="AWS_REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document|jq -r .region)"
EOL
sudo systemctl daemon-reload
sudo systemctl restart gitlab-runner Which made everything work without having to execute |
can i suggest that the plugin should also honor if AWS_DEFAULT_REGION variable is present rather than only searching for AWS_REGION. |
@man-jiteshm-sportsbet I'd be happy to take a pull request to that effect. |
I have the same issue. I would think that if
|
I've opened #251 to track the need for better documentation of limitations related to |
Was running into this issue, but setting the registries explicitly in the Docker |
Output of
docker-credential-ecr-login list
gives:Could not list credentials: MissingRegion: could not find region configuration:
Using IAM role to authenticate. Would expect the list command to not require a region as I don't see how you can set this via docker config option.
The text was updated successfully, but these errors were encountered: