Role arn not read from profile in config when using config file with web_identity_token_file

[imcdo]

Describe the bug

When using amazon-ecr-credential-helper to pull from ECR, it fails to pull credentials from the default profile with the following stack trace:

Unable to find image '<account>.dkr.ecr.us-west-2.amazonaws.com/<image>' locally 37:21
panic: role ARN is not set 37:21
goroutine 1 [running]: 37:21
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api.DefaultClientFactory.NewClientFromRegion({}, {0xc00002bf9d?, 0x0?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/[email protected]/api/factory.go:84 +0x190 37:21
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login.ECRHelper.Get({{0x8aa120?, 0xb28ba0?}, 0xaf2cc0?}, {0xc000028f30, 0x2c}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/[email protected]/ecr.go:101 +0x113 37:21
 github.com/docker/docker-credential-helpers/credentials.Get({0x8a9d30, 0xc000012108}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0, 0xc00005e030}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/[email protected]/credentials/credentials.go:154 +0x1fa 37:21
 github.com/docker/docker-credential-helpers/credentials.HandleCommand({0x8a9d30?, 0xc000012108?}, {0x7ffc942bad3e, 0x3}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0?, 0xc00005e030?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/[email protected]/credentials/credentials.go:96 +0x97 37:21
 github.com/docker/docker-credential-helpers/credentials.Serve({0x8a9d30, 0xc000012108}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/[email protected]/credentials/credentials.go:80 +0x325 37:21
 main.main() 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/[email protected]/cli/docker-credential-ecr-login/main.go:52 +0x154 37:21
 docker: Error response from daemon: Head "https://<accoun>.dkr.ecr.us-west-2.amazonaws.com/v2/<image>": no basic auth credentials.

The default profile in the ~/.aws/config file is simply:

[profile default]
role_arn = arn:aws:iam::<account>:role/<role-name>
web_identity_token_file=<absolute path to existing token>

the panic originally coming from this projects call here.

eventually throwing the error here

Expected Behavior

It reads the default profile as it was not specified in the environment variables, and reads the role name specified there.

Current Behavior

It fails to find the specified role name even though it is specified in the config.

Reproduction Steps

1. create a .aws/config file that has a default profile that assumes a role via a web_identity_token_file
2. configure docker to use amazon-ecr-credential-helper
3. attempt to pull an image

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

v1.26.3 for config

https://github.com/awslabs/amazon-ecr-credential-helper/blob/88cfadc80e8fe02f840937a6f9a638991f9e54f8/ecr-login/go.mod#L5-L15

Compiler and Version used

Operating System and version

Ubuntu 20.04

[RanVaknin]

Hi @imcdo ,

amazon-ecr-credential-helper Is not a product that the SDK team supports, therefore I cannot advise you on this particular problem.

I suggest you create this issue on their repo.

Thanks again,
Ran~

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[imcdo]

@RanVaknin I understand that, however its the usage of this sdk that seems to be broken, not their product.

[RanVaknin]

Based on the line of code you said its throwing in, it seems like the SDK is not provided with the correct role to obtain credentials.

I'm not familiar with this tool, therefore I suggest we wait to hear back from the ECR team about this. Perhaps they will be able to shed some light on the matter.

Thanks,
Ran~

[imcdo]

Thanks @RanVaknin will do.

[lucix-aws]

I'm going to have to close this due to both inactivity in the upstream ticket and inability to reproduce the issue described.

The following sample program:

package main

import (
	"context"
	"fmt"
	"log"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
)

func main() {
	cfg, err := config.LoadDefaultConfig(context.Background())
	if err != nil {
		log.Fatal(err)
	}

	fmt.Printf("%v\n", aws.IsCredentialsProvider(cfg.Credentials, &stscreds.WebIdentityRoleProvider{}))
}

with the following shared config

[default]
role_arn = arn:aws:iam::123456789:role/mock-role
web_identity_token_file=/Users/lucix/token

Prints true - in other words, we can observe it's correctly loaded both the token file and role ARN from shared config, rather than failing on the line you've indicated. I've verified that the behavior is correct on both config v1.26.3 and the latest v1.27.0.

Without the ability to reproduce the described issue, this isn't actionable for the SDK team.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.