-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crane auth login fails when docker login works #861
Comments
What happens if you just delete the global |
I have
This is sunk to HEAD and freshly installed. |
Ah, this is probably because the cred helper doesn't like being invoked to store, lemme futz with it. |
Yeah I think you just use the |
If I move |
Seems to work for me. |
I just did a |
So the main thing I'd note here is that ECR is minting short-lived credentials, so given enough delay between the |
When you say move between invocations do you mean run a mv command to somehow refresh it? I'm trying a login and then immediate pull and receiving the 401s. I too would have expected the ecrhelper to work that's why I'm puzzled. Its the same pw that is generated throughout the day for me, for what its worth. |
Same issue. |
To eliminate any confounding variables, what happens if you config file is just this?
Don't login or anything, just try e.g. |
I simplified the config.json to this and same 401 error. |
If you use |
Www-Authenticate: Basic realm="https://acctid.dkr.ecr.us-east-2.amazonaws.com/",service="ecr.amazonaws.com" edit: full log
|
I wonder if your proxy (context: GoogleContainerTools/kaniko#676) is dropping headers or if the go http client (or maybe go-containerregistry) is somehow dropping them? I'm obviously not privy to how your network is configured, but have you tried fiddling with |
So I went into my Jenkins Docker Container (running Debian Linux) and this worked with the credential helper. I'm not sure what's going on but it must be an issue with my MacOS setup (enterprise configuration or proxy dropping headers are good theories). That CI environment where I need this longterm, so I guess it was a wasted effort trying to configure it locally first. |
Glad it at least works where you need it, but now you've piqued my curiosity...
This is really suspicious. Is that /v2/v2/ really there? Or was this a copy/paste error during redaction?
It may be that they expect us to do some token exchange at that |
Looks like that may have been a typo. I re-ran an So I just now caught a tip that we moved towards a new proxy recently and I set that in my bash_profile. That proxy let the I really appreciate your guys' help in investigating this with me. edit: here's the verbose
|
Fantastic! Glad to see it works. Going to close this out 🎉 |
Steps to reproduce on macOS catalina bash. For what its worth I'm behind an enterprise proxy:
$ echo "acctid.dkr.ecr.us-east-2.amazonaws.com" | crane auth get | jq .password | sed 's/"//g'
long string password is output
$ crane auth login acctid.dkr.ecr.us-east-2.amazonaws.com -u AWS -p stringfromabove
$ crane pull acctid.dkr.ecr.us-east-2.amazonaws.com/reponame:tag tarball.tar
Error:
2020/12/07 13:27:15 GET https://acctid.dkr.ecr.us-east-2.amazonaws.com/v2/repo-name/manifests/tag-name: unexpected status code 401 Unauthorized: Not Authorized
$ docker login acctid.dkr.ecr.us-east-2.amazonaws.com -u AWS -p longstringfromabove
warning about --password via cli followed by Login Succeeded
docker pull succeeds
Config.json:
I also tried adding a
and setting the
credsStore
toecr-login
. But that didn't help my crane pull either. Running adocker pull
with the ecr credHelpers set did work.My AWS Environment Variables are set, as is the certificate path location.
The text was updated successfully, but these errors were encountered: