I have Jenkins setup for deploying my docker images to a Amazon ECR repository.
I have enabled 2FA in my AWS account for the IAM user. I have attached all admin polices to my IAM User. I am following the below command to push my docker image source to Amazon ECR repository.
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
Ref Link : https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Jenkins Code:
export aws configure
export AWS_ACCESS_KEY_ID=AKIAJ6CAU****
export AWS_SECRET_ACCESS_KEY=TRXaGmEHN5******
export AWS_DEFAULT_REGION=eu-west-2
$(aws ecr get-login --no-include-email --region eu-west-2)
docker tag add-product:latest 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER
docker push 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER
I have facing the issue when I deploy to Amazon ECR.
"An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials"
"An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code"
Ref Link :
AWS ECR GetAuthorizationToken
anyway ECR token has a short expiry cycle, you can try to use ecr credential helper instead.
and point your docker to leverage on the helper
{
"credHelpers": {
"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}
}
refer: https://lwpro2.wordpress.com/2019/10/30/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/
See if the aws-generated AWS_SECRET_ACCESS_KEY has "/". If you have the "/" generate a new AWS_SECRET_ACCESS_KEY without and add that it will work \o/
Related
I am trying to push docker image to ECR from my mac. I added identity to aws-vault, but using aws-vault failed to obtain password. My peer has the same privilege and he can login to ECR without problem.
.aws % aws-vault list
Profile Credentials Sessions
======= =========== ========
identity identity -
.aws % ENCRYPTED_PASSWORD=$(aws-vault exec identity -- aws ecr get-login-password --region us-west-2)
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::97xxxxxxxxxx:user/xxxxx.xxxxxx#xxxxxxxxx.com is not authorized to perform: ecr:GetAuthorizationToken on resource: * with an explicit deny in an identity-based policy
We are using the same role. I intend to execute the following line once ENCRYPTED_PASSWORD is obtained--
aws-vault exec identity -- aws ecr --region us-west-2 | docker login -u AWS -p ${ENCRYPTED_PASSWORD} xxxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/my-ecr
My .aws/config has this line refer to the above.
[profile identity]
Since my teammate has the same policy/permission, I don't see "GetAuthorizationToken" as an issue. What else? I'm trying to find a way to push my docker images from Mac to the ECR.
Completely redo the config, linked all roles to identity.
[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa
[profile identity]
Now is the token issue-- I entered the code from MFA Authenticator but failed
.aws % aws-vault exec xx-xxxx-main-admin -- aws ecr get-login --region us-west-2
Warning: parent_profile is deprecated, please use include_profile instead in your AWS config
Enter token for arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxxx.xxxx#xxxxxx.com: **125492**
aws-vault: error: exec: Failed to get credentials for xx-xxxx-main-admin: AccessDenied: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.
status code: 403, request id: 25808115-d9fa-480d-87d4-xxxxxxxxxxxxx
Doesn't look like the token is valid from Authenticator MFA
first aws-vault "GetAuthorizationToken" was caused by an unhealthy, ilformatted ~/.aws/config file. Roles must be specified with the following format--
[profile xx-xxxx-services-monitoring]
role_arn=arn:aws:iam::xxxxxxxxxxxx:role/XXMonitoring
source_profile=identity
sparent_profile=mfa
[profile identity]
Second part is MFA issue. MFA serial number must match what you configured in your authenticator. (DUO, Authy, Authenticator...) Your ~/.aws/config should have this section--
[profile mfa]
mfa_serial=arn:aws:iam::xxxxxxxxxxxx:mfa/xxxxx.xxxx#xxxxx.com
I am running into this error when trying to setup ECR authorization token with docker login.
Can you please advice
echo $(aws ecr get-login-password --region us-east-1 --profile test)|docker login --password-stdin --username AWS 123456789.dkr.ecr.us-east-1.amazonaws.com
Error saving credentials: error storing credentials - err: exit status 1, out: not implemented
The command you are using works with AWS CLI v2. The not implemented message may mean you don't have the latest version OR you are using AWS CLI v1? For AWS CLI v1 there is another (similar) command which calls get-login. See here.
I would like to login to an AWS registry from my GCP instance. I have transferred the AWS ID and secret key to the instance via the GCP metadata server and can access them from my script as:
getMetadata() {
curl http://metadata/computeMetadata/v1/instance/attributes/$1 \
-H "Metadata-Flavor: Google"
}
aws_access_key_id=`getMetadata aws_access_key_id`
aws_secret_access_key=`getMetadata aws_secret_access_key`
Now usually locally I can get the AWS login as:
$(aws ecr get-login --no-include-email --region eu-central-1)
I was wondering if there is a way to login to the docker registry from the shell scrip by specifying the AWS ID and the secret key through command line as it is more complicated for me to get the credentials file setup as I want during the GCP instance creation (due to the startup script running as root, for example).
You can pass the access key and secret to AWS CLI while getting the authorization token.
$(AWS_ACCESS_KEY_ID=my_key AWS_SECRET_ACCESS_KEY=my_secret aws ecr get-login --no-include-email --region eu-central-1)
Can we pull images from AWS ECR Repository on an AWS EC2 instance running docker assigning AWS EC2 instance role/policy and AWS ECR Repository permission that provides access to ECR.
I have currently provided all permissions but the error I am getting is "unauthorized: authentication required".
Let me know if this is possible.
you can actually skip the docker login step, even aws ecr get-token which still did the docker login, using ecr credential helper.
with the helper, just config the docker:
{
"credHelpers": {
"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}
}
refer to: https://lwpro2.wordpress.com/2019/10/30/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/
Run the below command in your cron and cron will refresh your login credentials.
COMMAND=`eval aws ecr get-login --region us-west-2`
echo `eval $COMMAND`
So you can avoid any login to ecr itself and access seamlessly all the time.
I am getting this error when I try to push a docker container
denied: Your Authorization Token has expired.
I had aws ecr get-login --no-include-email --region us-east-1, I tried the hack someone posted here where you take out the https none have worked.
When I run aws ecr get-login ... I get the code I copy and paste it and get a successful message but when I try to push my docker container I get the denied: Your Authorization Token has expired. I am using docker version Docker version 17.03.1-ce. Any Ideas what I can do?
Thanks!
Please use following command combination:
aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <AWS_ACCOUNT_NO>.dkr.ecr.<AWS_REGION_NAME>.amazonaws.com
Quoting from the documentation:
"This command retrieves and displays an authentication token using the GetAuthorizationToken API that you can use to authenticate to an Amazon ECR registry. You can pass the authorization token to the login command of the container client of your preference, such as the Docker CLI. "
Reference: https://docs.aws.amazon.com/cli/latest/reference/ecr/get-login-password.html
One reason can be the aws-cli version. The version of this CLI tool which seems to be a Python package can be seen in aws --version. I encountered this error for the version aws-cli/2.1.29, but not in the older version aws-cli/1.18.40.
The "aws ecr get-login" command is deprecated, Amazon recommends to use "aws ecr get-login-password" instead.