I am trying to build docker image and upload it to AWS ECR using Github actions. Had referred articles online and came up with an action file with one of its step as:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.ROLE }}
aws-region: us-west-2
When I run the workflow, I get an error at this step saying "Error: The security token included in the request is invalid." even though I have provided the correct credentials. What am I missing here?
I wanted to get it connected and move to the next step, which is:
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login#v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: test
IMAGE_TAG: test_new
Any help would be appreciated.
Related
I'm creating workflow:
where environment variables are sets between workflow and jobs:
While accessing the workflow based env, I'm getting error:
Unrecognized named-value: 'env'. Located at position 1 within expression: env.ACCOUNT_ID
all I want to access the job based env to each steps while referring to workflow based env.
The workflow
env:
AWS_REGION: ${{ vars.AWS_REGION }}
ACCOUNT_ID: ${{ secrets.TRAINING_ACCOUNT_ID }}
jobs:
dev:
runs-on: ubuntu-latest
env:
ECR_REGISTRY: ${{ env.ACCOUNT_ID }}.dkr.ecr.${{env.AWS_REGION}}.amazonaws.com
steps:
- name: build
run: |
aws --region ${{env.AWS_REGION}} ecr get-login-password | docker login --username AWS --password-stdin ${{env.ECR_REGISTRY}}
I found this as answer after a quite trial, if someone has the official answer, please post it.
But to work in my case, this is the hack:
env:
AWS_REGION: ${{ vars.AWS_REGION }}
ACCOUNT_ID: ${{ secrets.TRAINING_ACCOUNT_ID }}
jobs:
dev:
runs-on: ubuntu-latest
env:
ECR_REGISTRY: $ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
steps:
- name: build
run: |
aws --region ${{env.AWS_REGION}} ecr get-login-password | docker login --username AWS --password-stdin ${{env.ECR_REGISTRY}}
I'm facing this error that I don't understand because I'm using the same pipeline in another repo and it never showed me this error:
Run aws-actions/configure-aws-credentials#v1-node16
with:
aws-region: us-east-1
audience: sts.amazonaws.com
Error: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers
here is my code:
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials#v1-node16
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
they recommended to use this:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
I tried it but didn't work also.
I am using Github action "Deploy to Amazon ECS" to create Docker container from Node.js backend and deploy it on ECS.
During deployment, I receive following error:
Fill in the new image ID in the Amazon ECS task definition
Run aws-actions/amazon-ecs-render-task-definition#v1
Error: /home/runner/work/project-app-strapi/project-app-strapi/task-definition.json: Unexpected token � in JSON at position 0
The task-definition.json was generated by following command (as I am not very experienced with aws ecs CLI and prefer to create the infrastructure using AWS Console):
aws ecs describe-task-definition --task-definition "arn:aws:ecs:eu-west-1:076457945931:task-definition/project-strapi:2" --profile project > task-definition.json
also checked the file and it is valid json that doesn't contain any harmful hidden characters. It looks like this:
{
"taskDefinition": {
"taskDefinitionArn": "arn:aws:ecs:eu-west-1:076457945931:task-definition/project-strapi:2",
"containerDefinitions": [{
"name": "project-app",
"image": "076457945931.dkr.ecr.eu-west-1.amazonaws.com/company/project-strapi",
"cpu": 0,
"portMappings": [{
"containerPort": 1337,
"hostPort": 1337,
"protocol": "tcp"
}],
"essential": true,
... other fields, I don't believe they are needed
}
Workflow file is same as the default aws.yml for this Github Action, no changes were made here (besides filling variables):
name: Deploy to Amazon ECS
on:
push:
branches: [ "main" ]
env:
AWS_REGION: eu-west-1 # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY: company/project-strapi # set this to your Amazon ECR repository name
ECS_SERVICE: project-strapi # set this to your Amazon ECS service name
ECS_CLUSTER: project-strapi-app # set this to your Amazon ECS cluster name
ECS_TASK_DEFINITION: task-definition.json # set this to the path to your Amazon ECS task definition
# file, e.g. .aws/task-definition.json
CONTAINER_NAME: project-app # set this to the name of the container in the
# containerDefinitions section of your task definition
permissions:
contents: read
jobs:
deploy:
name: Deploy
runs-on: ubuntu-latest
environment: production
steps:
- name: Checkout
uses: actions/checkout#v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login#v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and
# push it to ECR so that it can
# be deployed to ECS.
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition#v1
with:
task-definition: ${{ env.ECS_TASK_DEFINITION }}
container-name: ${{ env.CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition#v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ env.ECS_SERVICE }}
cluster: ${{ env.ECS_CLUSTER }}
wait-for-service-stability: true
I tried several things, specifically various changes to formatting of json, changing the directory of the file, but the error remains.
First Download the task-defination file then update the image of the task-defination then update it to the ecs service, then you wont get any issue
- name: Download task definition
run: |
aws ecs describe-task-definition --task-definition **your task defination name** --query taskDefinition > taskdefinition.json
- name: new image in ECS taskdefinition
id: demo
uses: aws-actions/amazon-ecs-render-task-definition#v1
with:
task-definition: taskdefinition.json
container-name: **your container name**
image: ${{ steps.check_files.outputs.**image** }}
- name: updating task-definition file
run: cat ${{ steps.demo.outputs.task-definition }} > taskdefinition.json
I have a static web-site stored in AWS S3 and delivered with Cloudfront. I want to deploy updates to the bucket with the following github action .yaml file
name: Upload to S3
on: [pull_request]
jobs:
upload:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#main
- uses: actions/setup-node#v1
with:
node-version: '12.x'
- run: npm ci
- run: npm run build
- uses: shallwefootball/s3-upload-action#master
with:
aws_key_id: ${{ secrets.AWS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
aws_bucket: ${{ secrets.AWS_BUCKET }}
source_dir: 'dist'
after the pr is created the jobs are passed but changes are not being pushed to S3
what if we include if:always() just after the name and the id as S3 ex: id: S3 just after uses: shallwefootball/s3-upload-action#master
I am using GitHub Actions with CodeBuild but whenever I run the workflow I am getting error message:
STARTING CODEBUILD
[24](https://github.com/jude
0143143/CodeBuild/runs/3692850080?check_suite_focus=true#step:4:24)Error: The security token included in the request is invalid
name: 'GitHub Actions For CodeBuild'
on:
pull_request:
branches:
- test
env:
tf_version: 'latest'
tg_version: 'latest'
jobs:
deploy:
name: 'Build and Deploy'
runs-on: ubuntu-latest
steps:
- name: 'checkout'
uses: actions/checkout#v2
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-access-key-id: ${{secrets.AWS_ACCESS_KEY_ID}}
aws-secret-access-key: ${{secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 3600
- name: Run CodeBuild
uses: aws-actions/aws-codebuild-run-build#v1
with:
project-name: CodeBuild
buildspec-override: stage/dev-env/buildspec.yml
env-vars-for-codebuild: |
TF_INPUT,
AWS_ACCESS_KEY_ID,
AWS_SECRET_ACCESS_KEY,
AWS_REGION,
ROLE_TO_ASSUME,
ROLE_DURATION_SECONDS,
env:
TF_INPUT: false
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
ROLE_TO_ASSUME: ${{ secrets.AWS_ROLE_TO_ASSUME }}
ROLE_DURATION_SECONDS: 3600[![enter image description here][1]][1]
The error message indicates that the given role or keys are not valid to execute the action.
You set access key and secret key in both the 'configure AWS credentials' and 'Run CodeBuild' steps. Looking into the Repository for 'aws-actions/aws-codebuild-run-build#v1' it seems that it only needs to be configured in the first step. Not sure how many environments you are expecting to deploy to but if there is only one, then env is redundant.
https://github.com/aws-actions/aws-codebuild-run-build
Somethink like this I expect:
steps:
- name: 'checkout'
uses: actions/checkout#v2
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-access-key-id: ${{secrets.AWS_ACCESS_KEY_ID}}
aws-secret-access-key: ${{secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
role-duration-seconds: 3600
- name: Run CodeBuild
uses: aws-actions/aws-codebuild-run-build#v1
with:
project-name: CodeBuild
buildspec-override: stage/dev-env/buildspec.yml