Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECR login not working: Invalid header field value. #333

Closed
AXington opened this issue Jan 12, 2023 · 3 comments
Closed

ECR login not working: Invalid header field value. #333

AXington opened this issue Jan 12, 2023 · 3 comments

Comments

@AXington
Copy link

Trying to set up Concourse at work for my team and push to an ECR repo. This is currently not working as I'm getting an error about an invalid header field for "Authorization".

I have verified that the aws_access_key_id and aws_secret_access_key combination works on my local terminal.

Here's my current resource definition (with the repository name changed).

- name: docker-image
  type: registry-image
  icon: docker
  source:
    aws_access_key_id: ((common.aws-access-key-id))
    aws_secret_access_key: ((common.aws-secret-access-key))
    aws_region: us-east-1
    repository: foo

For clarification, foo in this context is just the repository name, not the full uri. I have however, tried that, and many other combinations with the aws_region set to both us-east-1 and 012345678910.dkr.ecr.us-east-1.amazonaws.com (account number obviously changed, and using the example from the very poorly worded docs entry for aws_region).

Full error message and logs:

selected worker: concourse-worker-0

WARN[0000] ECR integration is experimental and untested 

ERRO[0000] failed to authenticate to ECR: RequestError: send request failed

caused by: Post "https://api.ecr.us-east-1.amazonaws.com/": net/http: invalid header field value for "Authorization" 

ERRO[0000] cannot authenticate with ECR                 

I've seen several issues where people have requested using roles attached to ec2 instances, but that keeps getting rejected. I also wonder why not add a field for the account number portion of the ecr repo, or just allow to fully specify the full path since this seems to cause a lot of confusion. I did try to search for other issues about this and found several about ECR in general but few if any seem to ever get resolved. What needs to be done to fix this? I'm half tempted to just write a script to do a docker push instead of relying on the 'put'. But what's the point of using concourse at that point and not just use Jenkins or some other pipeline as code solution?

@quantumkisa
Copy link

Hello, @AXington
Have you resolved your issue somehow?

@ritik872000
Copy link

Hi @AXington, in repository you need to pass the full path which you can get in ECR(open the image and copy the URI) paste that in your repository and pass the tag seperately for example.

URI : account_nr.dkr.ecr.eu-west-1.amazonaws.com/aws-credentials-resource:0.13.0

then

repository: account_nr.dkr.ecr.eu-west-1.amazonaws.com/aws-credentials-resource
tag: 0.13.0

@AXington
Copy link
Author

AXington commented Jul 4, 2023

The issue actually lied in escaping the URI when it was stored in a Kube secret. We weren't using Vault or another secret manager, just straight kube secrets.

@AXington AXington closed this as completed Jul 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants