docker-credentials-ecr-login : kaniko cannot pull base image from ecr

1,678 views
Skip to first unread message

Leslie

unread,
May 29, 2020, 11:04:49 PM5/29/20
to kaniko-users
kaniko-executor:debug-v0.22.0 (latest)
This version contains docker-credentials-ecr-login (v 0.4.0)
From inside the container, I ran it and it returns {"https://account.dkr.ecr.us-east-1.amazon.aws.com": "AWS"}
I ran it like this:
AWS_REGION, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN docker-credentials-ecr-login list

From the command line, I verified that my creds are current and I have permission by running
$ aws ecr get-authorization-token 
and I get a token back

BUT, when I run kaniko to build an image, I get the Error message Error while retrieving image from cache. i don't know what cache it is referring to. I did not opt-in to cache images. I am not using warming.

docker run --rm -v "$(pwd)"/buildcontext:/workspace -v "$(pwd)"/aws:/root/.aws -v "$(pwd)"/docker:/kaniko/.docker:ro gcr.io/kaniko-project/executor:debug --dockerfile=Dockerfile --context=dir:///workspace --verbosity trace --no-push

Is the error related to docker-credentials-ecr-login (aka credentials helper)? Does the credentials helper ever get the ecr token? Is the GET request coming from the credentials helper?

Output:

DEBU[0000] Getting source context from dir:///workspace 

DEBU[0000] Build context located at /workspace          

DEBU[0000] Copying file /workspace/Dockerfile to /kaniko/Dockerfile 

TRAC[0000] Adding /var/run to initialWhitelist          

DEBU[0000] Skip resolving path /kaniko/Dockerfile       

DEBU[0000] Skip resolving path /workspace               

DEBU[0000] Skip resolving path /cache                   

DEBU[0000] Skip resolving path                          

DEBU[0000] Skip resolving path                          

DEBU[0000] Skip resolving path                          

DEBU[0000] Built stage name to index map: map[]         

INFO[0000] Retrieving image manifest account.us-east-1.amazonaws.com/upstream/alpine 

ERRO[0000] Error while retrieving image from cache: account.dkr.ecr.us-east-1.amazonaws.com/upstream/alpine GET https://account.dkr.ecr.us-east-1.amazonaws.com/v2/upstream/alpine/manifests/latest: unsupported status code 401; body: Not Authorized 

INFO[0000] Retrieving image manifest account.dkr.ecr.us-east-1.amazonaws.com/upstream/alpine 

error building image: GET https://account.dkr.ecr.us-east-1.amazonaws.com/v2/upstream/alpine/manifests/latest: unsupported status code 401; body: Not Authorized


Dockerfile:
RUN cat /kaniko/.docker/config.json

Leslie

unread,
May 29, 2020, 11:22:06 PM5/29/20
to kaniko-users
to be complete:
config.json { "credHelpers": { "account.dkr.ecr.us-east-1.amazonaws.com": "ecr-login" } }

credentials file: 
[default]
region-us-east-1
aws_access_key_id = 
aws_secret_access_key = 

[profile A]
aws_access_key_id = 
aws_secret_access_key = 
aws_session_token = 
aws_security_token = 
Reply all
Reply to author
Forward
0 new messages