How to refresh AWS authentication token for EKS cluster - amazon-web-services

I am authenticating via the following
First I authenticate into AWS via the following
aws ecr get-login-password --region cn-north-1 | docker login --username AWS --password-stdin xxxxxxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn
Then I created the regcred file that I reference in my deployment config
kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/noobskie/.docker/config.json --type=kubernetes.io/dockerconfigjson
So this was working fine the first 12 hours but now that the AWS token has expired I am having trouble figuring out how to properly refresh it. I have rerun the first command but it doesn't work.
the error I get is
Error response from daemon: pull access denied for xxxxxxxxxxx.dkr.ecr.cn-north-1.amazonaws.com.cn/baopals, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.
EDIT
I have just discovered that I can just reconfigure with the following command but I am curious if this is the correct way to handle it and if there are any other AWS ways offered.
kubectl create secret generic regcred --from-file=.dockerconfigjson=/home/noobskie/.docker/config.json --dry-run -o yaml | kubectl apply -f -

Use the following command to generate token if aws-cli and aws-iam-authenticator is installed and configured.
aws-iam-authenticator token -i cluster name

Related

How to pull a docker image from AWS ECR to Minikube Kubernetes cluster with MFA enabled

I have a docker image in AWS ECR which is in my secondary account. I want to pull that image to the Minikube Kubernetes cluster using AWS IAM Role ARN where MFA is enabled on it. Due to this, my deployment failed while pulling the Image.
I enabled the registry-creds addon to access ECR Image but didn't work out.
May I know any other way to access AWS ECR of AWS Account B via AWS IAM Role ARN with MFA enabled using the credential of the AWS Account A?
For example, I provided details like this
Enter AWS Access Key ID: Access key of Account A
Enter AWS Secret Access Key: Secret key of Account A
(Optional) Enter AWS Session Token:
Enter AWS Region: us-west-2
Enter 12 digit AWS Account ID (Comma separated list): [AccountA, AccountB]
(Optional) Enter ARN of AWS role to assume: <role_arn of AccountB>
ERROR MESSAGE:
Warning Failed 2s (x3 over 42s) kubelet Failed to pull image "XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/sample-dev:latest": rpc error: code = Unknown desc = Error response from daemon: Head "https://XXXXXXX.dkr.ecr.ca-central-1.amazonaws.com/v2/sample-dev/manifests/latest": no basic auth credentials
Warning Failed 2s (x3 over 42s) kubelet Error: ErrImagePull
While the minikube addons based solution shown by #DavidMaze is probably cleaner and generally preferable, I wasn't able to get it to work.
Instead, I found out it is possible to give the service account of the pod a copy of the docker login tokens in the local home. If you haven't set a serviceaccount, it's default:
# Log in with aws ecr get-login or however
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
This will work fine in a bind.
Minikube doesn't have a way to provide the MFA token. You need to create temporary credentials somehow and provide those credentials to minikube addons configure registry-creds.
My day job uses aws-vault and so my typical sequence for setting this up involves running
aws-vault exec some-profile -- env | grep AWS
minikube addons configure registry-creds
and then copying the temporary access key (starts with ASIA...), secret, and session token into the Minikube configuration. I do not enter a role ARN in the final prompt; the temporary credentials are already associated with the right AWS role.
The same restrictions and workaround would apply if you were using the Kubernetes-level imagePullSecrets.

Getting error on aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin

In the beginning, this command worked. But, now it is not working.
aws configure
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com
output is:
An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid
Error: Cannot perform an interactive login from a non TTY device
aws cli version is:
aws --version
aws-cli/2.2.41 Python/3.8.8 Linux/4.15.0-101-generic exe/x86_64.linuxmint.19 prompt/off
When I use different computer with same access-key and secret-key, following command works:
aws configure
aws ecr get-login-password --region us-east-2 | docker login --username AWS --password-stdin xxxxxxxxxxxx.dkr.ecr.us-east-2.amazonaws.com
output was:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
So, I think access-key and secret-key are fine. And, there is something wrong with aws-cli configuration. I have also tried reinstalling aws-cli but no success.
Source I used to reinstall aws-cli:
reinstall aws-cli
OS in which it's not working: Linux Mint 19
OS in which it worked: Ubuntu 20.04
I was running aws ecr command in root user which was not giving proper error message.
When I run aws ecr command in public user, then it gave a proper error message, i.e., Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock; So, I changed the permission of this file docker.sock from user root to public user and group docker to docker using command:
chown myPublicUser:docker /var/run/docker.sock
Now, run aws ecr using public user, it should work.

Error when configuring ECR authorization token with docker login

I am running into this error when trying to setup ECR authorization token with docker login.
Can you please advice
echo $(aws ecr get-login-password --region us-east-1 --profile test)|docker login --password-stdin --username AWS 123456789.dkr.ecr.us-east-1.amazonaws.com
Error saving credentials: error storing credentials - err: exit status 1, out: not implemented
The command you are using works with AWS CLI v2. The not implemented message may mean you don't have the latest version OR you are using AWS CLI v1? For AWS CLI v1 there is another (similar) command which calls get-login. See here.

How to pull AWS Lambda container image

I'm trying to run a Docker container on AWS Lambda.
Specifically I'm following this official tutorial
I have the following Dockerfile
FROM public.ecr.aws/lambda/nodejs:12
COPY app app.js package.json /var/task/
RUN npm install
CMD [ "app.handler" ]
But, when I try to build this I get the following error:
docker build -t hello-world .
Sending build context to Docker daemon 4.608kB
Step 1/4 : FROM public.ecr.aws/lambda/nodejs:12
pull access denied for public.ecr.aws/lambda/nodejs, repository does not exist or may require 'docker login': denied: Your authorization token has expired. Reauthenticate and try again.
When I login with docker login command I still get the same error.
Does anyone know how to resolve this?
Works fine here. You shouldn't need credentials for Public ECR (you can use auth for specific cases) but if you just want to consume it, remove the existing credentials
docker logout public.ecr.aws
and then try the build again.
That said, if you still want to make use of the authentication, you need to re-auth as described in the doc
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

Docker - denied: Your Authorization Token has expired

I am getting this error when I try to push a docker container
denied: Your Authorization Token has expired.
I had aws ecr get-login --no-include-email --region us-east-1, I tried the hack someone posted here where you take out the https none have worked.
When I run aws ecr get-login ... I get the code I copy and paste it and get a successful message but when I try to push my docker container I get the denied: Your Authorization Token has expired. I am using docker version Docker version 17.03.1-ce. Any Ideas what I can do?
Thanks!
Please use following command combination:
aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <AWS_ACCOUNT_NO>.dkr.ecr.<AWS_REGION_NAME>.amazonaws.com
Quoting from the documentation:
"This command retrieves and displays an authentication token using the GetAuthorizationToken API that you can use to authenticate to an Amazon ECR registry. You can pass the authorization token to the login command of the container client of your preference, such as the Docker CLI. "
Reference: https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
One reason can be the aws-cli version. The version of this CLI tool which seems to be a Python package can be seen in aws --version. I encountered this error for the version aws-cli/2.1.29, but not in the older version aws-cli/1.18.40.
The "aws ecr get-login" command is deprecated, Amazon recommends to use "aws ecr get-login-password" instead.