Kaniko does not seem to support assume-role for AWS ECR

[abergmeier]

Actual behavior
A similar environment in CloudBuild works for ecr get-login but not for Kaniko.
Error message is:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "123456.dkr.ecr.eu-central-1.amazonaws.com/mybest": unsupported status code 401; body: Not Authorized

Expected behavior
Should work with assume-role same as aws cli. Or at least provide usable debug information when doing AWS auth.

To Reproduce
Steps to reproduce the behavior:

1. Setup CloudBuild
2. Use AWS CLI:

- name: "atlassian/pipelines-awscli:1.16.185"
  entrypoint: /bin/ash
  args:
  - "-c"
  - |
    set -o errexit -o nounset -o pipefail
    export HOME=/root
    cat <<EOF > /root/.aws/credentials
    [functional]
    role_arn = arn:aws:iam::54321:role/functional
    source_profile = default
    [default]
    aws_access_key_id=$$AWS_ACCESS_KEY_ID
    aws_secret_access_key=$$AWS_SECRET_ACCESS_KEY
    EOF
    export AWS_DEFAULT_REGION=eu-central-1
    export AWS_SDK_LOAD_CONFIG=true
    export AWS_PROFILE=functional
    unset AWS_ACCESS_KEY_ID
    unset AWS_SECRET_ACCESS_KEY
    aws ecr get-login --no-include-email
  secretEnv:
  - AWS_ACCESS_KEY_ID
  - AWS_SECRET_ACCESS_KEY
  volumes:
  - name: "awsconfig"
    path: "/root/.aws/"

3. Add a Kaniko step later on

- name: "gcr.io/kaniko-project/executor:debug"
  entrypoint: /busybox/sh
  args:
  - "-c"
  - |
    set -o errexit -o nounset -o pipefail
    cat <<EOF > /kaniko/.docker/config.json
    {
      "credHelpers": {
        "123456.dkr.ecr.eu-central-1.amazonaws.com": "ecr-login"
      }
    }
    EOF
    set -o errexit -o nounset -o pipefail
    export AWS_DEFAULT_REGION=eu-central-1
    export AWS_SDK_LOAD_CONFIG=true
    export AWS_PROFILE=functional
    /kaniko/executor --destination ${_IMAGE} \
                     --cache true \
                     --cache-ttl 24h \
                     --cache-repo eu.gcr.io/${PROJECT_ID}/cache \
                     --context /workspace/ \
                     --dockerfile Dockerfile \
                     --reproducible \
                     --verbosity debug
  volumes:
  - name: "awsconfig"
    path: "/root/.aws/"
  - name: "dockerconfig"
    path: "/kaniko/.docker/"

The former step works, the latter fails. Not sure what to try or whether this is just not supported/a bug in Kaniko.

[tejal29]

@abergmeier Thank you filing this issue.
The team does not have any resources to debug AWS-ECR authorization issues.
That said, have you followed the steps mentioned here https://github.com/GoogleContainerTools/kaniko#pushing-to-amazon-ecr

[abergmeier]

That said, have you followed the steps mentioned here

I have. Without debug output it really is problematic to see where an actual problem in authenitcation occurs.

[tejal29]

Thanks @abergmeier Is there any helpful output when you pass the verbosity debug flag?
https://github.com/GoogleContainerTools/kaniko#--verbosity

Thank you for your patience. We are trying hard to get some AWS accounts to try out our tools.

[time4116]

This is currently working for me. The IAM role that is assigned to my nodes allow ECR push permissions. There are no AWS IAM credentials on my Kaniko container, here is my /kaniko/.docker/config.json. However, I have also had success specifying a registry via credHelpers.

{ "credsStore": "ecr-login" }