Pull an image on a remote host using credentials helper

[michcio1234]

The problem

I want to make a certain Docker image from my ECR repository present on an EC2 instance, using Terraform.

Terraform version:

Terraform v0.12.24
+ provider.aws v2.64.0
+ provider.docker v2.7.0
+ provider.null v2.1.2

What I did

Permissions and credentials helper

I have configured permissions (so that instance profile role can log in and pull images) and installed credentials helper on the instance. I put {"credsStore": "ecr-login"} in /home/ec2-user/.docker/config.json. I can SSH into the instance and do docker pull image:tag - this works, no need to do docker login.

I can also do the same using my local docker client by doing docker -H ssh://ec2-user@instance-dns-name.com:22 pull image:tag - the image gets pulled onto the instance.

Terraform configuration

I was trying to do it in Terraform using Docker provider. Here's what I have:

provider "docker" {
  version = "~> 2.7"
  host = "ssh://ec2-user@${aws_instance.main.public_dns}:22"
}

data "docker_registry_image" "backend" {
  name = "image:tag"
}

resource "docker_image" "remote_backend" {
  name = data.docker_registry_image.backend.name
  pull_triggers = [data.docker_registry_image.backend.sha256_digest]
}

IIUC, this should pull the image onto the remote machine. However, Terraform exits with this error:

Error: Got error when attempting to fetch image version from registry: Bad credentials: 401 Unauthorized

  on swarm.tf line 1, in data "docker_registry_image" "backend":
   1: data "docker_registry_image" "backend" {

I verified that Terraform actually connects to the remote Docker host (I could create docker service) - it just won't authenticate to the registry.

I also tried defining config like this (not sure if this is a good approach since I want to use credentials helper on a remote machine, not my local one):

provider "docker" {
  version = "~> 2.7"
  host = "ssh://ec2-user@${aws_instance.main.public_dns}:22"
  registry_auth {
    address = local.docker_registry_url
    config_file_content = "{\"credsStore\": \"ecr-login\"}"
  }
}

But this in turn results in a following error:

Error: Error loading registry auth config: Error parsing docker registry config json: json: cannot unmarshal string into Go value of type docker.dockerConfig

The question

How can I make this work, so that an image is pulled on the remote machine, using credentials provided by ecr-login helper which runs on that machine?
Or maybe it's a bug of Docker Terraform provider?

[rolandcrosby]

Hi @michcio1234, I had the exact same problem. After digging into the code I'm pretty sure this is a bug in the way the provider parses the Docker auth config file, but I've found a workaround. I'll file the bug separately, but for now I've found that you can make it work by setting up the provider like this:

provider "docker" {
    host = "ssh://ec2-user@${aws_instance.main.public_dns}:22"
    registry_auth {
        address = "${local.docker_registry_url}"
        config_file_content = jsonencode({
            "auths" = {
                "https://${local.docker_registry_url}" = {
                    "auth": "",
                    "email": ""
                }
            }
            "credsStore" = "ecr-login"
        })
    }
}

(You could use string interpolation instead of jsonencode, it's just a little easier to read this way.)

Let me know if this solves your problem. Thanks for filing this, I would have assumed I was doing something wrong otherwise :)

[michcio1234]

Oh wow, I should check Github notifications more often, I only now saw your response. ^^
I asked this question on StackOverflow too and someone suggested that this what's happening is actually the intended behaviour.
But I'm gonna try your workaround, it would make things so much simpler for me!

[michcio1234]

@rolandcrosby Nope, it didn't help. Terraform exited with:

Error: Error loading registry auth config: Error parsing docker registry config json: 
error getting credentials - err: 
exec: "docker-credential-ecr-login": executable file not found in $PATH, out: ``

I don't have docker-credential-ecr-login executable locally, but I do have it on the remote machine. So it looks like your configuration still authenticates you locally.

Anyway, many thanks for your response. :)

[mf-sky]

Perfect.
Thank you so much @rolandcrosby !