aws-actions / amazon-ecr-login Goto Github PK
View Code? Open in Web Editor NEWLogs into Amazon ECR with the local Docker client.
License: MIT License
Logs into Amazon ECR with the local Docker client.
License: MIT License
I was reading this about caching dependencies in Github actions workflows: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/caching-dependencies-to-speed-up-workflows
Is there an equivalent caching technique for building Docker images to ECR so that not all of the dependencies have to be built every time?
According to the docs one should be able to access the docker username/password using the prefix docker_username
and docker_password
(with a "cleaned" suffix with the registry URL), however they don't seem to be being set. I look at the code and I see the output, however, when I dump the step's outputs the values are not there.
I enabled Debugging and I can confirm they are not being set:
##[debug]Evaluating condition for step: 'Amazon ECR "Login" Action for GitHub Actions'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Amazon ECR "Login" Action for GitHub Actions
##[debug]Register post job cleanup for action: aws-actions/amazon-ecr-login@v1
##[debug]Loading inputs
##[debug]Loading env
Run aws-actions/amazon-ecr-login@v1
##[debug]Requesting auth token for 1 registries:
##[debug] '***'
::set-output name=registry::***.dkr.ecr.us-east-1.amazonaws.com
##[debug]steps.ecr_login.outputs.registry='***.dkr.ecr.us-east-1.amazonaws.com'
::save-state name=registries::***.dkr.ecr.us-east-1.amazonaws.com
##[debug]Save intra-action state registries = ***.dkr.ecr.us-east-1.amazonaws.com
##[debug]'skip-logout' is for 1 registries.
##[debug]Node Action run completed with exit code 0
##[debug]Finishing: Amazon ECR "Login" Action for GitHub Actions
I am using the following:
- name: Amazon ECR "Login" Action for GitHub Actions
uses: aws-actions/amazon-ecr-login@v1
id: ecr_login
with:
registries: "xxxxxxxxxxxx"
Hi!
I have issue with ecr login when using postgres service.
workflow code is:
jobs:
build-test:
runs-on: ubuntu-latest
container: node:14
services:
postgres:
image: postgres:10.2
env:
POSTGRES_DB: postgres
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_PORT: 5432
ports:
- 5432:5432
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
outputs:
JOB_STATUS: ${{ steps.deployment.outputs.status }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
Please, help me with this error. A bit urgent for me.
https://docs.aws.amazon.com/AmazonECR/latest/userguide/push-oci-artifact.html
ECR allows Helm packages - but needs helm registry login
instead of docker login.
Is there any way to get this going? Looks like docker login
is done by default in index.js
Hi, I am using a step after using aws-actions/amazon-ecr-login@v1
called mamezou-tech/buildpacks-action@master
ro build and push the image to ECR, and as they use a Dockerfile to run the step within a container, the docker connection session is not persisted.
Is there a way to make it work? What could be done to have other "dockerized" steps to be able to benefit from the docker login action?
Thanks!
I'm getting the following error while trying to use the Actions outputs: The workflow is not valid. .github/workflows/xxxxx.yaml (Line: 25, Col: 14): Unexpected symbol: '350xxxxxxxxx_dkr_ecr_eu_central_1_amazonaws_com_docker_username'. Located at position 21 within expression: steps.login.outputs.350xxxxxxxxx_dkr_ecr_eu_central_1_amazonaws_com_docker_username
.
From: https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs :
The <output_id> must start with a letter or _ and contain only alphanumeric characters, -, or _.
As such, the fact that the Actions output ids start with a number (e.g. 111111111111_dkr_ecr_aws_region_1_amazonaws_com_docker_username
) means that the workflow file will always be invalid.
This functionality has apparently not been tested and is broken.
Hello,
I need to push an image to account A ECR, using account B's IAM user, but when I use aws-actions/amazon-ecr-login@v1
, I receive "no basic auth credentials" error. Account A and B are in same region.
But if I switch to aws ecr get-login-password
& docker login
method for ECR login, image is pushed to account A ECR with no problem..
So this workflow ends with "no basic auth credentials" error :
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: <Account B Access Key>
aws-secret-access-key: <Account B Secret Access Key>
aws-region: <A&B Region>
- name: AWS ECR Login
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Docker Build & Push to ECR
run: |
docker build -t <Account A ECR Repository>:<tag> -f Dockerfile .
docker push <Account A ECR Repository>:<tag>
But for aws ecr get-login-password
& docker login
, push succeeds.
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: <Account B Access Key>
aws-secret-access-key: <Account B Secret Access Key>
aws-region: <A&B Region>
- name: AWS ECR Login
run: |
aws ecr get-login-password --region <A&B Region> | docker login --username AWS --password-stdin <Account A ECR Registry>
- name: Docker Build & Push to ECR
run: |
docker build -t <Account A ECR Repository>:<tag> -f Dockerfile .
docker push <Account A ECR Repository>:<tag>
Is there anything that I need to do differently for this kind of job?
Here is my ECR Permission on account A just for reference.. But I'm guessing the permission setting is the issue here as aws ecr get-login-password
& docker login
with same aws-actions/configure-aws-credentials
works.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<Account B ID>:root"
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
]
}
]
}
Thank you.
I have tried very hard but was unable to push the image to ECR
i trying with public ECR repo
repoistory URI : public.ecr.aws/k5n6o2s4/sadapay-test
ERROR
name unknown: The repository with name 'public.ecr.aws/k5n6o2s4/sadapay-test' does not exist in the registry with id '***' Error: Process completed with exit code 1.
My workflow file
https://github.com/hjavaid06/spring-boot/blob/main/.github/workflows/Workflow.yml
please assist i have tried as much as i can
It really does appear to fail as #27 suggested.
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
registries: 1111111111
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ECR_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_ECR_SECRET_ACCESS_KEY }}
AWS_REGION: 'my-hardcoded-region-here'
- name: Build, tag, and push image to Amazon ECR
id: build-tag-push
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: api
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
Replaced my actual registry id with 1s above. Not space after it.
ECR_REGISTRY
ends up empty.
permissions for the user who running pipeline -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}
]
}
pipeline step Login to Amazon ECR succeeds
AWS_REGION: us-east-1
Run aws-actions/amazon-ecr-login@v1
with:
env:
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_DEFAULT_REGION: us-east-1
AWS_REGION: us-east-1
registry - 475882391631.dkr.ecr.us-east-1.amazonaws.com/contenttech
error:
name unknown: The repository with name '***.dkr.ecr.us-east-1.amazonaws.com/contenttech' does not exist in the registry with id '***'
##[error]Process completed with exit code 1.
details and full pipeline -
link
Hi community!
I would like to ask for a feature (or in case of me missing this feature please help me to see how to proceed), when deploying actions in github CI.
Basically I dont find any info about how to pull containers from aws and deploy them in CI github actions during the job execution
jobs:
backend-job:
name: CI backend Integration env
runs-on: ubuntu-latest
services:
postgres:
image: postgres:10
ports:
- 5432:5432
rabbitmq:
image: rabbitmq
ports:
- 5672:5672
redis:
image: redis:alpine
ports:
- 6379:6379
steps:
- name: Step 1
uses: ...
- name: Step 2
uses: ...
and add own docker-based app containers (from aws, google, heroku... whatever) passing credentials like:
...
services:
.....
some-aws-service:
image: XXXXXXXXX.YYY.ecr.eu-west-1.amazonaws.com/<AWS OWN SERVICE>:latest
ports:
- 5000:5000
credentials:
username: ${{ secrets.AWS_ACCESS_KEY_ID }}
password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Following multiple approaches like proposed (here:)[https://docs.github.com/es/actions/using-jobs/running-jobs-in-a-container]
But I receive this:
I also added these (steps)[https://github.com/aws-actions/amazon-ecr-login] at the begining:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::123456789012:role/my-github-actions-role
aws-region: us-east-1
- name: Login to Amazon ECR Private
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
...
But nothing was possible...
Can you shed more light on this please?
Many thanks in advance!!!!
set-output is deprecated in Github Actions, so if we could output to GITHUB_ENV we could use this action without triggering warnings
Hi AWS!
Maintainer of https://github.com/krzema12/github-actions-kotlin-dsl here. Your actions have first-class support in the library.
Recently we've come up with a way to reduce operational load when keeping library's action wrappers in sync with action's inputs. The solution includes onboarding https://github.com/krzema12/github-actions-typing. It's as easy as adding an extra YAML file to your repository root, and adding a simple GitHub workflow that validates this new file. Thanks to this, the code generator in the Kotlin DSL can fetch typing info provided by you instead of us, which has a number of benefits. It has no negative effects on current action consumers, they continue to use the action via regular GitHub API, as if the file wasn't there. The typings themselves are unaware of the Kotlin DSL, and any other tool (let it be another code generator or documentation tool) can use the typings if you provide them.
In this feature request, I would like to ask you if you're open to introducing such typings in your actions. You wouldn't be first - there're already other actions using it: https://github.com/krzema12/github-actions-typing/network/dependents
If your answer is "yes", feel free to either add it yourself, or let me know - me or some of my fellow contributors would be happy to post PRs. We're also open to any kind of questions and feedback.
With the suggested permissions for pushing, I get an error Error parsing HTTP response: unexpected end of JSON input: ""
. It seems that pushing also needs the ecr:BatchCheckLayerAvailability
permission. See moby/moby#19010 (comment)
Some time when pipeline fails with the below error:
no basic auth credentials
,
it does not happens regularly but in every 10-15 days this issue is occurring.
Pipeline steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: ${{env.REGION}}
role-to-assume: ${{env.ASSUME_ROLE}}
role-duration-seconds: 1200
role-skip-session-tagging: true
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_URL: ${{ steps.login-ecr.outputs.registry }}
run: |
docker build -t $ECR_URL/$ECR_REPO:$IMAGE_TAG .
docker push $ECR_URL/$ECR_REPO:$IMAGE_TAG
When working with a single registryId
:
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
registries: 012346789012
I get Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'
. Yes, the registryId
is twelve numeric digits.
When I remove the entry and rely on the default registry, it works.
There is a way to pass to docker build, custom build args?
I've trying pass build args to dockerfile, and just only the env vars that are in documentation are acceptable.
(Sorry for posting in this place..)
I want to use this action in combination with https://github.com/aevea/action-kaniko specifically so I can build my image with kaniko and then push it to two separate container registries (staging and production - separate registries in separate AWS accounts).
The kaniko builder requires the authentication details as it handles the registry authentication rather than using the docker login that this action provides.
I have had some success with https://github.com/elgohr/ecr-login-action to get the credentials out and pass to the kaniko builder, but I'd prefer to use this action if possible.
I'm in a situation where I need to authenticate to an ECR registry in a different account and region than where the self-hosted runner is running in. This is part of an internal project of migrating AWS accounts but still needing to access resources within the account we're moving away from.
A self-hosted runner in Account A (in region us-west-2) contains a IAM instance profile that allows it to assume a role in Account B to push images to the ECR registry (in region us-east-1), amongst many other things.
I can successfully assume the role in Account B using aws-actions/configure-aws-credentials@v1
, but since the region
input is for the initial client, aws-actions/amazon-ecr-login
implicitly inherits it when it authenticates to ECR. I need it to use a different region.
At first I thought I could modify the region in it's own step:
# there is a step prior that assumes the role
# ....
- name: Set AWS region to us-east-1
run: aws configure set default.region us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
run: |
docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION
But it didn't work. This Github Action still authenticated to the ECR registry in the us-west-2 region.
Then I thought to run AWS ECR commands directly to specify the region:
# there is a step prior that assumes the role
# ....
- name: Login to Account B ECR
run: |
aws ecr get-login-password --region $ACCT_B_REGION | \
docker login --username AWS --password-stdin $ACCT_B_ECR_REGISTRY
- name: Build, tag, and push image to Account B AWS ECR
run: |
docker build -t $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
docker push $ACCT_B_ECR_REGISTRY/$ECR_REPOSITORY:$VERSION
This works but it replaces this convenient Github Action. It would be nice, despite it being very uncommon, if I could just provide this Github Action the region I need to authenticate into. This approach also stores the credentials unencrypted- WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Another approach I took is using aws-actions/configure-aws-credentials@v1
again to use the temporary assumed-role credentials (set to environment variables in a previous step) to set the region for subsequent steps.
# there is a step prior that assumes the role
# ....
- name: Configure temp AWS credentials for ECR login
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Account B AWS ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$VERSION
This worked but adds another step to the job.
So, is there a simpler way to do this than what I've done above? Is there a simpler way to modify the region before running this Github Action? If not, could we add a region
input to this Github Action. I can work on this if this is something desired.
Using this on a EKS setup where IRSA is used to provide IAM access on our pods (our runners), when trying to chain amazon-ecr-login
together with configure-aws-credentials
I get the error below:
I can confirm IRSA is working fine as we have other pipelines using it fine, our runners are able to assume roles successfully and use the permissions in those assumed roles.
IRSA uses token files for authentication setting the AWS_WEB_IDENTITY_TOKEN_FILE
env pointed at the token on disk.
Output From Actions Log
Run aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::$MY_ACCOUNT_ID:role/$MY_ROLE
aws-region: $MY_REGION
role-duration-seconds: 900
1s
Run aws-actions/amazon-ecr-login@v1
with:
env:
AWS_DEFAULT_REGION: $MY_REGION
AWS_REGION: $MY_REGION
AWS_ACCESS_KEY_ID: ***
AWS_SECRET_ACCESS_KEY: ***
AWS_SESSION_TOKEN: ***
Error: Could not login: WARNING! Using -*** the CLI is insecure. Use --password-stdin.
Error saving credentials: error storing credentials - err: exit status 1, out: `not implemented`
Workflow Yaml
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::$MY_ACCOUNT_ID:role/$MY_ROLE
aws-region: $MY_REGION
role-duration-seconds: 900
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
Receive this error when running the workflow
.github/workflows/docker-build.yml#L32 The workflow is not valid. .github/workflows/docker-build.yml (Line: 32, Col: 12): Unexpected symbol: '$ECR_REPOSITORY'. Located at position 1 within expression: $ECR_REPOSITORY .github/workflows/docker-build.yml (Line: 43, Col: 12): Unexpected symbol: '$ECR_REPOSITORY'. Located at position 1 within expression: $ECR_REPOSITORY
Issue must be with the syntax in the documentation
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-ecr-repo
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
Environment variables have to called in this format:
${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
This fixed the error
A warning will be generated when use this action:
The set-output
command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
We should avoid use core.setOutput
and output to $GITHUB_OUTPUT
instead
Line 111 in 261a7de
HTTP_PROXY, HTTPS_PROXY is not taken into account.
Error: Inaccessible host: api.ecr.eu-central-1.amazonaws.com' at port
undefined'. This service may not be available in the `eu-central-1' region.
I'm having an issue pushing images to a second repo.
My workflow is pulling for one repo in a dev account, and pushing the same image to a repo in a different account,
- name: Configure AWS Credentials for build and deploy
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Amazon ECR "Login" Action for GitHub Actions
uses: aws-actions/amazon-ecr-login@v1
- name: Create QA Docker Tags
working-directory: ./api
run: |
docker pull ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA}
docker tag ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA} ${DESTINATION_ECR_IMAGE_REPOSITORY}:prod-latest
docker tag ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA} ${DESTINATION_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA}
docker tag ${SOURCE_ECR_IMAGE_REPOSITORY}:${GITHUB_SHA} ${DESTINATION_ECR_IMAGE_REPOSITORY}:${{ needs.calc-app-version.outputs.app_version }}
- name: Configure AWS Credentials for build and deploy
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Amazon ECR "Login" Action for GitHub Actions
uses: aws-actions/amazon-ecr-login@v1
- name: Publish Image
run: docker push --all-tags ${DESTINATION_ECR_IMAGE_REPOSITORY}
It seems to log in correctly, but it fails on the publish saying that there are no credentials
Run docker push --all-tags ${DESTINATION_ECR_IMAGE_REPOSITORY}
The push refers to repository [*****.dkr.ecr.us-east-1.amazonaws.com/core-api]
no basic auth credentials
3702670ce3c4: Preparing
4eaaf9ca664b: Preparing
ce7e5c5cc356: Preparing
e330fc6a21cc: Preparing
b2d5eeeaba3a: Preparing
Error: Process completed with exit code 1.
The pipeline part for this process is shown this
name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-2
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: service-t
The error is shown thus:
name unknown: The repository with name 'service-t' does not exist in the registry with id '***'
Error: Process completed with exit code 1.
I have tried all means to solve this by confirming all correct parameters and repo is correct but still same error, I need help, how do I handle this please?
GitHub has decided to deprecate running actions on Node 12. While the date of disabling node 12 actions is up in not set, it would be good to start discussing the idea of updating this action to run on Node 16. Even if a v2 is not released, a v1-node16 could be released like aws-actions/configure-aws-credentials
is doing for now (see aws-actions/configure-aws-credentials#489 (comment)).
Is there any recommended usage for GH Actions services
key when using this action to retrieve ecr login details? They run before any steps in the job are performed so there's no way to run ecr-login beforehand.
My first thought was to login in one job and then use that in another job, like so:
jobs:
ecr-login:
runs-on: ubuntu-latest
outputs:
docker_user: ${{ steps.login-to-ecr.outputs.docker_username_my_account_id_dkr_ecr_eu_west_1_amazonaws_com }}
docker_password: ${{ steps.login-to-ecr.outputs.docker_password_my_account_id_dkr_ecr_eu_west_1_amazonaws_com }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: eu-west-1
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: 'arn:aws:iam::my_account_id:role/my_role'
role-duration-seconds: '3600'
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v1
id: login-to-ecr
test:
runs-on: ubuntu-latest
needs: ecr-login
services:
param_store:
image: my_account_id.dkr.ecr.eu-west-1.amazonaws.com/***/***
credentials:
username: ${{ needs.ecr-login.outputs.docker_user }}
password: ${{ needs.ecr-login.outputs.docker_password }}
...
But this doesn't work because:
a) the post ecr-login step logs out of the repository
and
b) the docker_password is never output from the job because it's considered secret.
Are there any recommendations on how to handle this for github actions services
node? account IDs and names of repos obscured for obvious reasons.
Per this comment, self-hosted runners relying on credentials configured in one job can no longer leverage them on subsequent jobs. A fix is actively being worked on.
Users effected by this can pin to an older version (like v1.1.4) as a workaround.
Using as following in my actions workflow
jobs:
build:
name: Build Image
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
RELEASE_TAG: ${{ github.event.release.tag_name }}
IMAGE_NAME: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}
run: |
# Build a docker container and
# push it to ECR so that it can
# be deployed to ECS.
docker build -t $IMAGE_NAME:latest .
docker tag $IMAGE_NAME:latest $IMAGE_NAME:$RELEASE_TAG
docker push $IMAGE_NAME
But it gives error on pushing the image
Successfully built fc0461d2f287
Successfully tagged ***.dkr.ecr.us-west-2.amazonaws.com/qcg-backend:latest
Error parsing reference: "***.dkr.ecr.us-west-2.amazonaws.com/qcg-backend:" is not a valid repository/tag: invalid reference format
Error: Process completed with exit code 1.
It seems the value of ${{ steps.login-ecr.outputs.registry }}
is masked ***
.
My current project involves pulling a docker image from an ECR in region A and pushing it into region B within the same AWS account. But the problem is that I can't log into different ECR's using amazon-ecr-login
twice (changing the region on configure-aws-credentials@v1
beforehand).
Is there any way to solve this issue? Code below
- name: Configure AWS credentials for region A
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: sa-east-1
- name: Login to Amazon ECR on region A
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Pull docker image from Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my_repo
IMAGE_TAG: latest
run: |
docker pull $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG my_image:latest
docker images
- name: Logout of Amazon ECR
if: always()
run: docker logout ${{ steps.login-ecr.outputs.registry }}
- name: Configure AWS credentials for region B
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
- name: Login to Amazon ECR on region B
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Tag and push Docker image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my_repo
IMAGE_TAG: latest
run: |
docker tag my_image:latest $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
There have been quite a few commits to master since release v1.3.3 on 15 Feb 2021 - it would make a lot of sense to release the software. We lost a few hours because we assumed that the documentation in the readme corresponds to the released functionality - which it doesn't.
Thank you for your consideration.
I'd like to use GitHub Actions in a way where I would need to pull an image from a private ECR repository, but run untrusted code on the action worker afterwards.
What steps should I take to make sure malicious code can not obtain (temporary) access credentials to ECR?
Is using docker logout
enough, or which cleanup steps should I take?
How about updating AWS SDK to v3?
I suggest doing this with #116 .
I am happy to help. I hope this Action will be active.
Hi,
I have the error:
Error: Invalid parameter at 'registryIds' failed to satisfy constraint: 'Member must satisfy constraint: [Member must satisfy regular expression pattern: [0-9]{12}]'
Funny thing is that, that my other builds are working like a charm with the same configuration, the difference is that number, and I've checked it, it satisfies the regular expression of [0-9]{12} but still, it breaks, any advice?
See: https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html
It would be great if this action could configure the login, based on the presence of a an input parameter AWS_ROLE_ARN
, calling the github api to obtain the token.
Using this technique is favourable as one do not need to define, distribute, and rotate IAM credentials.
https://github.com/aws-actions/amazon-ecr-login/network/alert/package-lock.json/minimist/open
Traced the dependency graph and it appears like jest->@jest/core->jest-config->babel/core->json5->minimist ^1.2.0. Since it's a transitive dependency, we can not directly update minimist directly.
Going to create a pull request against json5.
AWS_DEFAULT_REGION is an official environment variable in AWS https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list.
In my workflow I specify:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu-central-1
which is needed for some other jobs. It would be nice if we do not have to set the region again with:
with:
aws-region: $AWS_DEFAULT_REGION
but that it can pick this up automatically ๐๐ฝ
I am using self hosted github runners running in our eks cluster, this self hosted runners are tied to a service account that has a role with a trust relationship to my eks identity provider and a policy to assume role from another account that has access to ecr. when actions run i get an error
denied: User: arn:aws:sts::A:assumed-role/cp-sw-actions-runner/GitHubActions is not authorized to perform: ecr:InitiateLayerUpload on resource: arn:aws:ecr:us-west-2:B:repository/runner-test because no resource-based policy allows the ecr:InitiateLayerUpload action
Error: Process completed with exit code 1.
Currently experiencing issues on aws-actions/amazon-ecr-login@v1.
via a build script using aws-actions/configure-aws-credentials@v1
. The build was perfect as of 3 days ago. The error is:
Error: Could not login: WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error saving credentials: error storing credentials - err: exit status 1, out: The stub received bad data.
The virtual env info is
2020-11-02T15:08:23.2642617Z Microsoft Windows Server 2019
2020-11-02T15:08:23.2642970Z 10.0.17763
2020-11-02T15:08:23.2643321Z Datacenter
2020-11-02T15:08:23.2643642Z ##[endgroup]
2020-11-02T15:08:23.2644020Z ##[group]Virtual Environment
2020-11-02T15:08:23.2644535Z Environment: windows-2019
2020-11-02T15:08:23.2644904Z Version: 20201021.0
This wasn't happening as of 3 days ago and I believe this may be a related issue. Still haven't found any work around yet.
Action linter is warning about nodev12 actions getting deprecated soon.
Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: aws-actions/amazon-ecr-login
Any change of that happening?
When giving a public ECR like this (to push an image):
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
registries: public.ecr.aws/deadbeef
The step fails and gives the error:
Member must satisfy regular expression pattern: [0-9]{12}
Good morning, this might not be entirely related to the code base of amazon-ecr-login, if there is a better place to report this, please advise.
I am using the ecr-login action as described in the docs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ap-northeast-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
When running the action, the initial job, which is setup
, fails to download the tarballs from the official actions, and the execution of the workflow gets cancelled.
Here is a screenshot of the issue
On AWS Credentials
section,
Lines 164 to 166 in 3e4df45
The Assume an IAM role
and Monitor the activity
links are not redirect to correct section due to #<name>
is not found anymore.
Hello,
I am using the amazon-ecr-login
to generate an ecr_username and ecr_password to use with a docker login as follows but the password doesn't seem to be populated
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
- name: Login to Amazon ECR
id: login_ecr
uses: aws-actions/amazon-ecr-login@v1
## and then
outputs:
ecr_username: ${{ steps.login_ecr.outputs.docker_username_<aws_acc_no>_dkr_ecr_eu_west_1_amazonaws_com }}
ecr_password: ${{ steps.login_ecr.outputs.docker_password_<aws_acc_no>_dkr_ecr_eu_west_1_amazonaws_com }}
I then reference them in a separate job like this
services:
container:
image: <aws_acc_no>.dkr.ecr.eu-west-1.amazonaws.com/<repo_name>/<container>:<short_sha>
credentials:
username: ${{ needs.build.outputs.ecr_username }}
password: ${{ needs.build.outputs.ecr_password }}
When printed out the username echos as AWS
where as password does not, I suspected this was due to masking but I get this error
Error: .github/workflows/ci.yml (Line: 277, Col: 21): Unexpected value ''
Error: The template is not valid. .github/workflows/ci.yml (Line: 277, Col: 21): Unexpected value ''
As a way round this I ran the following in the workflow and it works
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
- name: get ECR username & password
id: extract_password
run: echo "##[set-output name=ecr_password_2;]$(aws ecr get-login-password)"
outputs:
ecr_password_2: ${{ steps.extract_password.outputs.ecr_password_2 }}
services:
container:
image: <aws_acc_no>.dkr.ecr.eu-west-1.amazonaws.com/<repo_name>/<container>:<short_sha>
credentials:
username: AWS
password: ${{ needs.build.outputs.ecr_password_2 }}
I'm not sure what's happening with password as it doesn't seem to be populated
Use case:
In CI it's very common to already have the full registry. The output is also the URI. For example using skaffold this is SKAFFOLD_DEFAULT_REPO. Save us from awking that crap in another step.
Thanks for the action!
The action yields the following warning
Warning: The `save-state` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Should resolve once dependabot
pr #352 find it's way to the next release
Hi, I am trying to move my github arm actions to an M1 Mac Mini build server with a self-hosted runner, but it fails with the following errors:
Run aws-actions/configure-aws-credentials@v1
The node12 is not supported on macOS ARM64 platform. Use node16 instead.
Run aws-actions/amazon-ecr-login@v1
The node12 is not supported on macOS ARM64 platform. Use node16 instead.
Logging into registry ***.dkr.ecr.us-east-1.amazonaws.com
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.