Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build X fails to push to AWS ECR registry #576

Closed
vbyrd opened this issue Mar 24, 2022 · 3 comments
Closed

Build X fails to push to AWS ECR registry #576

vbyrd opened this issue Mar 24, 2022 · 3 comments

Comments

@vbyrd
Copy link

vbyrd commented Mar 24, 2022

Troubleshooting

Before submitting a bug report, please read the Troubleshooting doc. DONE ✅

Behavior

Build fails when trying to push image to AWS ECR

Steps to reproduce this issue

  1. Use the configuration yaml below to build/tag/push

Expected behavior

Build X should push images to AWS Private ECR successfully

Actual behavior

Build X debug logs show that is trying to push the image to Docker Registry instead of AWS ECR and thus failing

error: failed to solve: server message: insufficient_scope: authorization failed
url="https://registry-1.docker.io/v2/library/bogus-app/blobs/sha256:SANITIZED"

Configuration

name: MainPush

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v2

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-1

      - name: Get ECR Registry
        id: ecr-login
        uses: aws-actions/amazon-ecr-login@v1

      - name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: ${{ steps.ecr-login.outputs.registry }}

      - name: Set up Docker Buildkit
        uses: docker/setup-buildx-action@v1
        with:
            buildkitd-flags: --debug        

      - name: Get Tags for Image
        id: metadata
        uses: docker/metadata-action@v3
        with:
          images: ${{ github.event.repository.name }}
          tags: |
            type=raw,value=latest
            type=raw,value=main
            type=sha

      - name: Docker build/tag/push
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: ${{ steps.metadata.outputs.tags }}

Logs

Docker Login Log:

Run docker/login-action@v1
  with:
    registry: ***.dkr.ecr.us-east-1.amazonaws.com
    ecr: auto
    logout: true
  env:
    AWS_DEFAULT_REGION: us-east-1
    AWS_REGION: us-east-1
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
Retrieving registries data through AWS SDK...
AWS ECR detected with us-east-1 region
Logging into https://***.dkr.ecr.us-east-1.amazonaws.com...
Login Succeeded!

Build X Debug Log of Failure:

  time="2022-03-24T01:17:11Z" level=debug msg="checking and pushing to" digest="sha256:<SANITIZED>" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip size=2789449 url="https://registry-1.docker.io/v2/library/bogus-app/blobs/sha256:<SANITIZED>"
  time="2022-03-24T01:17:11Z" level=debug msg="do request" digest="sha256:<SANITIZED>" mediatype=application/vnd.docker.image.rootfs.diff.tar.gzip request.header.accept="application/vnd.docker.image.rootfs.diff.tar.gzip, */*" request.header.user-agent=buildkit/0.0.0+unknown request.method=HEAD size=2789449 url="https://registry-1.docker.io/v2/library/bogus-app/blobs/sha256:<SANITIZED>"
time="2022-03-24T01:17:11Z" level=error msg="/moby.buildkit.v1.Control/Solve returned error: rpc error: code = Unknown desc = server message: insufficient_scope: authorization failed\n"
  time="2022-03-24T01:17:11Z" level=debug msg="session finished: <nil>"

Docker build/tag/push calling buildx Log:

/usr/bin/docker buildx build --iidfile /tmp/docker-build-push-50JQ2V/iidfile --tag bogus-app:latest --tag bogus-app:main --tag bogus-app:sha-SANITIZED --metadata-file /tmp/docker-build-push-50JQ2V/metadata-file --push .
@crazy-max
Copy link
Member

@vbyrd That seems pretty clear to me: insufficient_scope: authorization failed.

You're trying to push bogus-app:latest which will be by default Docker Hub if the registry is not specified (hence registry-1.docker.io/v2/library/bogus-app).

In this case images: ${{ github.event.repository.name }} is wrong in the metadata action step. I guess it should be something like:

      - name: Get Tags for Image
        id: metadata
        uses: docker/metadata-action@v3
        with:
          images: ${{ steps.ecr-login.outputs.registry }}/${{ github.event.repository.name }}
          tags: |
            type=raw,value=latest
            type=raw,value=main
            type=sha

@vbyrd
Copy link
Author

vbyrd commented Mar 24, 2022

Ah I see. I will try this shortly. I assumed that the metadata action step would use the registry authenticated in the login action step by default (much like the login action step uses the aws-credentials step automatically). It's a bit counter intuitive but I get why it was done (allow for multiple registry logins, ect.)

Perhaps "docker/login-action@v1" could have an output of registry much like "amazon-ecr-login@v1" so that it is clear we are using "steps.docker-login.outputs.registry" in this metadata "images" step. Seems like it would still allow for multiple logins and metadata.

@vbyrd
Copy link
Author

vbyrd commented Mar 24, 2022

I confirmed that it is working as expected.

@vbyrd vbyrd closed this as completed Mar 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vbyrd @crazy-max