-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to push to cross-account AWS ECR registry #253
Comments
Update, this turns out to be a problem/difference in the docker-login action. When running on ubuntu-latest, that action calls AWS CLI v1 and fails. Switching to ubuntu-20.04, which as AWS CLI v2, that action calls get-login-password and the build works without issue. I'll leave this open for now as I'm not sure if that's known behavior or if it's worth addressing (or at least documenting). |
@jtoberon Any idea? @davidski Can you try with the following steps: -
name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: <region>
-
name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ secrets.AWS_ECR_REPOSITORY }}
Also is |
Just pinged the ECR team. |
Hi, @crazy-max - I've tested out adding the explicit Fail run (CLI v1): https://github.com/davidski/test-docker/runs/1564906561?check_suite_focus=true#step:8:65 I know the ECR login commands got a big rework between v1 and v2, so something seems to be not functioning on the older API. Oh, and yes, the Thanks for looking at this! |
Hi @davidski! It seems like this line is the issue in the We can look into the best way to fix the issue with the |
Filed docker/login-action#39 for this. I was able to reproduce. @crazy-max let me know if we can help with this. |
Hi @michaelb990! Thanks for your feedback! I will take a look and come back to you shortely. |
Behaviour
Reference: https://github.com/davidski/test-docker/runs/1552032319?check_suite_focus=true
Pushes to AWS ECR work when the authenticating user is in the same AWS account as the repository, but do not work when the repository is in a different account (but the calling account has permissions).
I realize there is a
containerd
debug approach recommended, but I'm unsure how to apply that procedure to an AWS ECR location with its particular auth dance of AWS credentials for a docker login. If there's guidance on how to do that, I'm happy to apply it and confirm where the problem lies.Steps to reproduce this issue
I have confirmed that using these static credentials (from ACCOUNT A) I can push to ACCOUNT B repos from a local Docker (MacOS) installation, verifying that permissions are correct.
Expected behaviour
Push should work, just as it does if the repository is in ACCOUNT A.
Actual behaviour
Push fails with a 401.
Configuration
Logs
logs_2.zip
The text was updated successfully, but these errors were encountered: