Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Collaborating the credential-helper with aws SSO fails #573

Open
JoshuaGhost opened this issue Jul 20, 2023 · 1 comment
Open

Collaborating the credential-helper with aws SSO fails #573

JoshuaGhost opened this issue Jul 20, 2023 · 1 comment

Comments

@JoshuaGhost
Copy link

JoshuaGhost commented Jul 20, 2023
edited
Loading

I have been trying to collaborate the ecr + credential-helper and aws SSO authentication. Here is what i did and how it fails:
First, i set up the sso-authentication with

aws configure sso-session

and

aws configure sso

the automatically generated ~/.aws/config looks like this:

[sso-session my-sso]
sso_start_url = https://***
sso_region = ***
sso_registration_scopes = sso:account:access
[profile p1]
sso_session = my-sso
sso_account_id = ***
sso_role_name = ***
region = ***
output = json

I can now login using

aws sso login --profile p1

Then i installed amazon-ecr-credential-helper under Ubuntu 20.04.6 LTS through go install. I also updated the ~/.docker/config.json according to the readme.md as follows:

{
  "credHelpers": {
    /*helper settings for other IaaS providers like GCP*/
    "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com/<ecr-registry-name>": "ecr-login"
  },
    "credsStore": "ecr-login"
}

But now after logging in using the sso, i can't push nor pull the image to/from the ECR. The error message says that i have "no basic auth credentials"

I could acually use the trick suggested here to get the password and re-direct it to the --password-stdin argument of docker login using the pipeline operator "|". But this command has the following side-effects:

  1. It removes my ~/.docker/config.json file and create a new one with only the auth passwords.
  2. It stores the password in ~/.docker/config.json file in (base64-encoded) plain text

I don't like either of these side-effects so could you please help me by telling me the most practical way of using the tool chain?

After searching on the internet and within the issues of this repo, i found this issue mentioned an influent ochestration of sso and credential helper. @austinvazquez suggested to update the credential-helper. But for me updating this doesn't resolve the problem.

Edit on 20.07.2023:

I re-install the newest version of credential-helper using go install, the error by the login changes to

Error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`

But the good news is, by removing the two configuration entries:

"credsStore": "ecr-login"

and

 "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com/<ecr-registry-name>": "ecr-login"

, i can finally login using the command with the pipeline operator "|". And my old docker config is not flushed. But the authentication token is still stored in plain text...
@gmr gmr mentioned this issue Nov 28, 2023
Open
@gopipal
Copy link

gopipal commented Mar 21, 2024

You may need to docker logout "<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com" since docker can cache old creds.

I am using the latest aws credentials helper and it works with aws sso

go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@latest
sudo cp $GOPATH/bin /usr/bin/.

This is my ~/.docker/config.json

{
	"credHelpers": {
		"<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com": "ecr-login"
	}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gopipal @JoshuaGhost