Kaniko failing to push to ECR #1455
Comments
|
Will the v1.3.0 with #1458 fix it? |
It does not. Having this problem on 1.3.0. Although the error is slightly different, so may be a new issue, please tell me if I should open a new issue. (Replaced ^ account id with 000000000000) The problem is, ECR requires you to manually create new sub-repos annoyingly unlike some other container registries. Thus the error above. I could fix it if I create a new repo with /cache suffixed though. For now I'm going to just manually create a secondary cache-specific repo for every ECR repo, but this is super annoying. Should be a better fix. Eg: should just push to the same ECR repo. Perhaps with a tag prefix of _cache or something so it could be identified and purged easily if desired. |
|
Edit ^ guess I figured that out, you can choose cache-repo, can choose the same repo. :P |
|
Hi @AndrewFarley But at the end job I have the following error : Do you have an idea ? Thanks :) |
|
@jordan85 Pay attention to the last message... My guess is whatever IAM role or AWS credentials you have granted to your runner/image doesn't have access to that ECR repo, and/or that does not exist (yet). Honestly, the error messages of Kaniko could be a lot better, but I understand it's just giving you the error from upstream. It could be more intelligent about it though, it's frustrating to debug. I would check...
|
|
Thanks for your reply @AndrewFarley 1 - I think yes ; because temp image are correctly upload in my ECR "myproject/cache" I use amazon-ecr-credential-helper, I have open issue for this awslabs/amazon-ecr-credential-helper#270 This problem is only present during a Docker multi stage. If you want I can add verbose log in my Kaniko but don't sure is most for you.. Have a good day :) |
|
@jordan85 Weird, if it's only during a multi-stage that indeed sounds like a bug. Sorry I'm not a kaniko dev, just trying to help. :( Likely pasting/pastebin-ing a verbose log would be helpful for devs debugging it though. Can't hurt. Best of luck! |
|
Are you sure you are using correct command to set credentials config? Seems that you forget about escaping... As you can see, you docker config is messed up |
|
I am also seeing same issues it say running below command on my local It was able download the context but failing while pushing it ecr. Same configuration was working till yesterday |
|
Hi all and @tiru1930 Issue is fix for me. Stupid problem but I dont't know if it's a bug or not... As a reminder
For my ECR authentification I used the following line : echo "{"credHelpers":{"$ECR_REGISTRY":"ecr-login"}}" > /kaniko/.docker/config.json It’s important not to use kaniko user (home directory) for config.json storage. |
|
@jordan85 thank you , i have figured it out, it was running this command after setting docker config, |
|
@jordan85 were you able to figure out the solution for With gitlabci and multi-stage image builder my ECR push : FAILED . we also facing same issue with single stage build it is working fine |
|
@jordan85 Thank you. Doing |
|
I previously had only Maybe this needs a documentation update to add the credHelpers piece? In any case, I'm able to reproduce 100% with multistage images. It works fine with non-multistage images. |
|
I have a similar issue, but setting Error message: My terraform config: I am giving the following IAM permissions using OIDC: |
- Kaniko v.1.8.0 does not require additional cred helper logic for ECR, as it discovers ECR repositories automatically and acts accordingly. Thus removed from the documentation. - Add details on using IAM role based authentication for pushing to ECR. Fixes: GoogleContainerTools#780 Fixes: GoogleContainerTools#1455 Signed-off-by: Jasper Orschulko <[email protected]>
- Kaniko v.1.8.0 does not require additional cred helper logic for ECR, as it discovers ECR repositories automatically and acts accordingly. Thus removed from the documentation. - Add details on using IAM role based authentication for pushing to ECR. Fixes GoogleContainerTools#780 Fixes GoogleContainerTools#1455 Signed-off-by: Jasper Orschulko <[email protected]>
- Kaniko v.1.8.0 does not require additional cred helper logic for ECR, as it discovers ECR repositories automatically and acts accordingly. Thus removed from the documentation. - Add details on using IAM role based authentication for pushing to ECR. Fixes GoogleContainerTools#780 Fixes GoogleContainerTools#1455 Signed-off-by: Jasper Orschulko <[email protected]>
- Kaniko v.1.8.0 does not require additional cred helper logic for ECR, as it discovers ECR repositories automatically and acts accordingly. Thus removed from the documentation. - Add details on using IAM role based authentication for pushing to ECR. Fixes GoogleContainerTools#780 Fixes GoogleContainerTools#1455 Signed-off-by: Jasper Orschulko <[email protected]>
- Kaniko v.1.8.0 does not require additional cred helper logic for ECR, as it discovers ECR repositories automatically and acts accordingly. Thus removed from the documentation. - Add details on using IAM role based authentication for pushing to ECR. Fixes #780 Fixes #1455 Signed-off-by: Jasper Orschulko <[email protected]>
Oh, there still seem to be issues regarding multistage builds with the new instructions for v1.8.0 @imjasonh 😕 |
|
I also have the same problem. Single stage or multi stage pipelines make no difference and both fail with an EOF error: This problem has also been mentioned here but the solution is not clear: |
Are you using aws credentials or IAM roles for authentication? Are you using kaniko v1.8.0? |
Thank you for your fast reply. I use aws credentials for the authentication and kaniko v1.8.0 in a gitlab CICD pipeline |
Same with us as well on gitlab ci/cd pipeline |
|
Ok, I believe we need more details on the exact setup you guys are using. Can you post here how you are calling the kaniko build step? Personally, I haven't used credential based authentication, but I would assume that it should work identically to IAM based authentication (which I know to be working, at least with single stage builds) with the exception that credentials have to be mounted at the appropriate place. |
echo "{\"credsStore\":\"ecr-login\",\"credHelpers\":{\"${DOCKER_ECR_REPO_URL}\":\"ecr-login\"}}" > /kaniko/.docker/config.json
mkdir -p ~/.aws/
cat <<EOF > ~/.aws/credentials
[test-ecr]
aws_access_key_id=$ORIG_AWS_ACCESS_KEY_ID
aws_secret_access_key=$ORIG_AWS_SECRET_ACCESS_KEY
EOF
export AWS_PROFILE=test-ecr
/kaniko/executor \
--context $CI_PROJECT_DIR \
--dockerfile $CI_PROJECT_DIR/Dockerfile \
--destination $DOCKER_ECR_REPO_URL/$DOCKER_IMAGE_NAME:$CI_COMMIT_SHA \
--verbosity ${KANIKO_VERBOSE_LEVEL:-info} \
--skip-unused-stagesThis is how we are doing this is working in old kaniko version but not with 1.18 |
this shouldn't be necessary anymore since kaniko 1.18.0: #780 (comment)
Shouldn't this be Have you tried reproducing this issue locally, e.g.: |
|
@Jasper-Ben profile name is pointint to correct one only in our config here while chaing actual name cause this. Also have updated values above |
|
Hm ok... other than that your config file looks correct to me. 🤔 |
|
ok let me try that. |
|
one more question same settings works fine when public ecr is used but private one is only causing issue |
Hm, interesting. I guess the initial connection check just tries to connect to the ECR in general and does not probe push permissions. Thus, this would not cause a permission issue, as anonymous connections to the public ECR are possible. I assume you still need to authenticate when pushing images to a public ECR? If this is the case and you are able to push the image successfully, my guess would be that the initial connection check does not honor the provided credentials, but the authentication during the actual push operation works. |
|
@Jasper-Ben issue is with AWS_PROFILE due to some reason profile is not working i change the name of profile to |
|
I don't think I understand the issue well enough to comment. I need to find some time to use Kaniko with ECR myself. If folks think that documenting AWS_PROFILE behavior would be helpful, I can approve a PR to add that to the README until I can debug it myself. |
mkdir -p /kaniko/.docker
cat <<EOF | tee /kaniko/.docker/config.json
{
"auths": {
"${CI_REGISTRY_IMAGE}": {
"username": "${CI_REGISTRY_USER}",
"password": "${CI_REGISTRY_PASSWORD}"
}
},
"credHelpers": {
"${aws_account_id}.dkr.ecr.${region}.amazonaws.com": "ecr-login"
}
}
EOF
export AWS_PROFILE=${stage}this appears to work even without having the
|
What version of kaniko did you use for this? And i am straightaway configuring username as aws and password as aws ecr get-login-passowrd, mine is still failing. |
Actual behavior
Trying to push to ECR with Kaniko on Gitlab on Kubernetes and get a user denied with the node instance role as the user even when providing access and secret keys with the credstore.
Expected behavior
images pushes to ECS
To Reproduce
Steps to reproduce the behavior:
$ echo "{"credsStore":"ecr-login","credHelpers":{"$AWS_DOCKER_URL":"ecr-login"}}" > /kaniko/.docker/config.json
$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $DOCKER_REPOSITORY:$CI_COMMIT_SHORT_SHA --build-arg NPM_TOKEN=$NPM_TOKEN --skip-unused-stages=true
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED].dkr.ecr.us-east-1.amazonaws.com/[MASKED]:b263001f": POST https://[MASKED].dkr.ecr.us-east-1.amazonaws.com/v2/[MASKED]/blobs/uploads/: DENIED: User: arn:aws:sts::[MASKED]:assumed-role/[MASKED]-NodeInstanceRole/i-[MASKED] is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-east-1:[MASKED]:repository/[MASKED]
--cacheflagThe text was updated successfully, but these errors were encountered: