I'm trying to run the following command from gitlab CI:
$ aws ecr get-login-password --region eu-west-3
Here's how the job in the .gitlab-ci.yml looks like this
publish-job:
stage: publish
image:
name: amazon/aws-cli:latest
entrypoint: [""]
script:
- aws configure set aws_access_key_id MY_ACCESS_KEY_ID
- aws configure set aws_secret_access_key MY_SECRET_ACCESS_KEY
- aws configure set default.region eu-west-3
- aws ecr get-login-password --region eu-west-3
And at the last step I get the following error:
$ aws ecr get-login-password --region eu-west-3
An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
I know there's a similar question on stack overflow but I think it's not the same problem. In that question it's an issue that has to do with permissions. In my case I'm pretty sure it isn't for 2 reasons:
I gave the user associated with the access key AdministratorAccess (temporarily in order to rule out the possibility that I'm dealing with an permissions issue)
I performed the exact same steps (by copying and pasting) with docker and it works, so it's not the credentials. Here's the Dockerfile:
FROM amazon/aws-cli:latest
RUN aws configure set aws_access_key_id THE_SAME_ACCESS_KEY_ID
RUN aws configure set aws_secret_access_key THE_SAME_SECRET_ACCESS_KEY
RUN aws configure set default.region eu-west-3
RUN aws ecr get-login-password --region eu-west-3
Then I ran $ docker build --progress=plain . and the last step returned a hash
Any Idea why those steps give inconsistent results? And how to fix the CI?
I declared an AWS_DEFAULT_REGION environment variable that was preventing the cli from executing the command (even though I hardcoded the credentials at this stage). When I removed the environment variable, everything started working properly.
I want to pull from a private AWS ECR. I have created a new policy and a API user with the correct permissions to pull.
The issue I have is... I'm running this on a machine where I don't want to use credentials files:
aws ecr get-login
I would like to use the aws_access_key_id and aws_secret_access_key to get a login token i.e
aws ecr get-login <aws_access_key_id> <aws_secret_access_key>
Is this possible or do I have any way to achieve this without saving out a file or running aws configure?
You can specify your configuration with environment variables, for example like this (Linux/Mac OS):
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2
They will then only last until the end of your shell session (unless you put them in your shell startup script). You can read more about this, and see additional examples here.
I'm trying to push a Docker image from Dockerfile built to AWS ECR but when run this command:
$ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
appears the error:
An error occurred (AccessDeniedException) when calling the
GetAuthorizationToken operation: User:
arn:aws:iam::477629773586:user/albertosanmartin is not authorized to
perform: ecr:GetAuthorizationToken on resource: * Error: Cannot
perform an interactive login from a non TTY device
I have installed and configured those files:
~/.aws/configure:
[default]
...
[mrthink]
region = eu-west-1
output = json
~/.aws/credentials
[default]
...
[mrthink]
aws_access_key_id = ****
aws_secret_access_key = ****
Seems to the command api get other user "albertosanmartin"
Anybody could help me please ?
Thanks in advance.
If you have your credentials configured under mrthink profile name in ~/.aws/credentials you need to pass the --profile param to the aws cli
$ aws --profile mrthink ecr get-login-password \
--region eu-west-1 |\
docker login --username AWS \
--password-stdin 477629773586.dkr.ecr.eu-west-1.amazonaws.com
The user arn:aws:iam::477629773586:user/albertosanmartin doesnt have access to ECR
You can double-check your credentials via sts get-caller-identity call if they are which you want to use.
I have Jenkins setup for deploying my docker images to a Amazon ECR repository.
I have enabled 2FA in my AWS account for the IAM user. I have attached all admin polices to my IAM User. I am following the below command to push my docker image source to Amazon ECR repository.
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
Ref Link : https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
Jenkins Code:
export aws configure
export AWS_ACCESS_KEY_ID=AKIAJ6CAU****
export AWS_SECRET_ACCESS_KEY=TRXaGmEHN5******
export AWS_DEFAULT_REGION=eu-west-2
$(aws ecr get-login --no-include-email --region eu-west-2)
docker tag add-product:latest 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER
docker push 06423123213.dkr.ecr.eu-west-2.amazonaws.com/add-product:$BUILD_NUMBER
I have facing the issue when I deploy to Amazon ECR.
"An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials"
"An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code"
Ref Link :
AWS ECR GetAuthorizationToken
anyway ECR token has a short expiry cycle, you can try to use ecr credential helper instead.
and point your docker to leverage on the helper
{
"credHelpers": {
"aws_account_id.dkr.ecr.region.amazonaws.com": "ecr-login"
}
}
refer: https://lwpro2.wordpress.com/2019/10/30/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/
See if the aws-generated AWS_SECRET_ACCESS_KEY has "/". If you have the "/" generate a new AWS_SECRET_ACCESS_KEY without and add that it will work \o/
When I pull a clean Alphine Linux Docker image, install aws-cli on it and try to authenticate myself with aws ecr get-authorization-token --region eu-central-1 I keep getting the following error:
An error occurred (UnrecognizedClientException) when calling the
GetAuthorizationToken operation: The security token included in the
request is invalid.
I've already checked the timezone which seem to be okay, and the command works properly on my local machine.
These are the commands I run to set up aws-cli:
apk add --update python python-dev py-pip
pip install awscli --upgrade
export AWS_ACCESS_KEY_ID=XXXXXXXXXXXXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Is there something obvious I'm missing?
You don't have permission to access those resources until you get permission to aws-cli, for that you can use the below steps.
Log into your AWS account, click on your account name, select my security credentials, click on access keys and download the credentials
Open your PowerShell as administrator and follow the commands.
$ aws configure
$ AWS Access Key ID [****************E5TA]=xxxxxxxxxx
$ AWS Secret Access Key [****************7gNT]=xxxxxxxxxxxxxx
It was an access issue after all! Turns out that if you create a new IAM user with full admin access it can't by default access the ECR registry you created using a different account. Using the IAM credentials from that other account resolved the issue.
In my case, my ~/.aws/credentials file had an old aws_session_token that was not updated by the aws configure CLI command. Once I opened the file with vi ~/.aws/credentials and deleted the aws_session_token entry, I no longer encountered the UnrecognizedClientException. I'm guessing that the AWS CLI first gives priority to the aws_session_token over the aws access key id and aws secret access key when running AWS CLI commands, if aws_session_token is present in the ~/.aws/credentials file.
Create a new account with AmazonEC2ContainerRegistryFullAccess permission.
Add this account to the .credentials file like this:
[ecr-user]
aws_access_key_id = XXX
aws_secret_access_key = XXX
Then next use following command:
aws ecr get-login-password --profile ecr-user
What worked for me is:
on the first part of pipe add the param --profile < your-profile-name >
and after that in every ECR command you need to provide that parameter.
My issue was caused by the fact that I had inactivated my access key in the AWS IAM Management Console earlier as part of an exercise I was doing. Once I reactivated it, the problem was resolved.
(Make sure you're in the right AWS region, too.)
I had same error message however I was using session based AWS access . The solution is to add all the keys given by AWS including session token.
aws_access_key_id="your-key-id"
aws_secret_access_key="your-secret-access-key"
aws_session_token="your-session-token"
add it into ~/.aws/credentials for profile you are using .
After a couple of hours , this is my conclusion :
If you want to use AWS_PROFILE makes sure that the rest of AWS env vars are unset (NOT empty only ... MUST be UNSET).
profile=$AWS_PROFILE
unset $(printenv |grep AWS_ | cut -f1 -d"=");
export AWS_PROFILE=${profile};
Then :
# with aws cli >= 1.x
$(aws ecr get-login --no-include-email --region ${aws_region})
# with aws cli >= 2.x
registry=${aws_account_id}.dkr.ecr.${aws_region}.amazonaws.com
aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${registry}
Resolved issue after following below:
Go to AWS IAM Management Console
Generate credential in section "Access keys (access key ID and secret access key)"
Run command aws configure and set same downloaded credentials in Cdrive-User-directory.aws\credentials
It wasn't working for me. Out of sheer desperation, I copied the lines starting with export and posted them in the terminal and pressed enter.
Thereafter I wrote aws configure and filled in the details from https://MYCOMPANY.awsapps.com/start#/ >> Account >> Clicked "Command line or programmatic access".
Default region name: eu-north-1
Default output format: text
And then the login succeeded. Don't ask my why.
open the file ~/.aws/credentials (or c:\Users\{user}\.aws\credentials on Windows)
It might look something like the following:
[default]
aws_access_key_id = XXXXX
aws_secret_access_key = XXXXX
aws_session_token = XXXXX
Update the aws_access_key_id and aws_secret_access_key with new values and remove the aws_session_token. You can also update aws_access_key_id and aws_secret_access_key via the aws configure command, but this doesn't remove the session token.
Try running echo $varname to see if the environment variables are set correctly:
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_DEFAULT_REGION
If they are incorrectly set, run unset varname:
unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_ACCESS_KEY
unset AWS_DEFAULT_REGION
In my case, the region I wanted to use was not enabled. Addressed by enabling it at Account > AWS Regions -> enable (and wait patiently for some minutes).
An update, --profile must be added, I solve this.