Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On 1.17.0, instance metadata ECR credentials authorization on EC2 doesn't work anymore #2808

Open
rdbisme opened this issue Oct 19, 2023 · 2 comments
Open

On 1.17.0, instance metadata ECR credentials authorization on EC2 doesn't work anymore #2808

rdbisme opened this issue Oct 19, 2023 · 2 comments
Labels
area/authentication kind/bug Something isn't working priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. registry/ecr regression/v1.16.0 regression

Comments

@rdbisme
Copy link

rdbisme commented Oct 19, 2023
edited
Loading

Actual behavior
We have the following line in our CI script:

  • echo "{\"credsStore\":\"ecr-login\"}" > /kaniko/.docker/config.json

This enables kaniko to authorize the push to ECR registry using the EC2 machine instance metadata it's running on. This stopped working with 1.17.0 with the following error:

panic: failed to get shared config profile, <redacted>
goroutine 1 [running]:
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api.DefaultClientFactory.NewClientFromRegion({}, {0xc00015945d?, 0x0?})
	/src/vendor/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api/factory.go:84 +0x219
github.com/awslabs/amazon-ecr-credential-helper/ecr-login.ECRHelper.Get({{0x882240?, 0xae6780?}, 0xab0a40?}, {0xc000132540, 0x2c})
	/src/vendor/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/ecr.go:101 +0x113
github.com/docker/docker-credential-helpers/credentials.Get({0x881e50, 0xc00011a0d8}, {0x87d840?, 0xc000110020?}, {0x87d7c0, 0xc000110028})
	/src/vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go:130 +0x1fa
github.com/docker/docker-credential-helpers/credentials.HandleCommand({0x881e50?, 0xc00011a0d8?}, {0x7ffedf9c87be?, 0xc00018bec0?}, {0x87d840?, 0xc000110020?}, {0x87d7c0?, 0xc000110028?})
	/src/vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go:73 +0x85
github.com/docker/docker-credential-helpers/credentials.Serve({0x881e50?, 0xc00011a0d8?})
	/src/vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go:58 +0xee
main.main()
	/src/vendor/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login/main.go:44 +0x154
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED]/xxxx/xxx": resolving authorization for [MASKED] failed: error getting credentials - err: exit status 2, out: ``

Expected behavior
Authorization should keep working.

To Reproduce
Steps to reproduce the behavior:

  1. ...
  2. ...

Additional Information

  • Dockerfile
    Please provide either the Dockerfile you're trying to build or one that can reproduce this error.
  • Build Context
    Please provide or clearly describe any files needed to build the Dockerfile (ADD/COPY commands)
  • Kaniko Image Using docker image sha256:91ffcd7c7450560c235406479a476b632efeef9ca036ca4ce32de395a580f83a for gcr.io/kaniko-project/executor:debug with digest gcr.io/kaniko-project/executor@sha256:97c78eedb0560b8fcf64900abdb810f84f9882d033421f4aee1e6559f42b7e87 ...

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@rdbisme rdbisme changed the title On 1.17.0, instance metadata auth on EC2 doesn't work anymore On 1.17.0, instance metadata ECR credentials authorization on EC2 doesn't work anymore Oct 19, 2023
@aaron-prindle aaron-prindle added regression regression/v1.16.0 priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. registry/ecr area/authentication kind/bug Something isn't working labels Oct 19, 2023
@csm-kb
Copy link

csm-kb commented Oct 20, 2023

Can confirm the same! via executor:debug as of 10 minutes ago:

$ echo "{\"credsStore\":\"ecr-login\",\"credHelpers\":{\"${DOCKER_REGISTRY}\":\"ecr-login\"}}" > /kaniko/.docker/config.json
$ echo "Creating ${CI_env} build for ${DOCKER_REGISTRY}/${APP_NAME}:${IMAGE_TAG}"
Creating staging build for [MASKED].dkr.ecr.[MASKED].amazonaws.com/[MASKED]:v0.33.7
$ export AWS_PROFILE=default
$ /kaniko/executor --context ${CI_PROJECT_DIR} --dockerfile ${CI_PROJECT_DIR}/Dockerfile --build-arg "BUILD_APP_ENV=${CI_env}" --destination "${DOCKER_REGISTRY}/${APP_NAME}:${IMAGE_TAG}" --cache=true --cache-repo "${DOCKER_REGISTRY}/${APP_NAME}" --cache-ttl ${CACHE_TTL}
panic: failed to get shared config profile, default
goroutine 1 [running]:
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api.DefaultClientFactory.NewClientFromRegion({}, {0xc00002d8dd?, 0x0?})
	/src/vendor/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api/factory.go:84 +0x[21](https://gitlab.com/[MASKED]/-/jobs/5335232340#L21)9
github.com/awslabs/amazon-ecr-credential-helper/ecr-login.ECRHelper.Get({{0x88[22](https://gitlab.com/[MASKED]/-/jobs/5335232340#L22)40?, 0xae6780?}, 0xab0a40?}, {0xc000026b70, 0x2c})
	/src/vendor/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/ecr.go:101 +0x113
github.com/docker/docker-credential-helpers/credentials.Get({0x881e50, 0xc0000100f0}, {0x87d840?, 0xc000068028?}, {0x87d7c0, 0xc000068030})
	/src/vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go:130 +0x1fa
github.com/docker/docker-credential-helpers/credentials.HandleCommand({0x881e50?, 0xc0000100f0?}, {0x7ffc5[24](https://gitlab.com/[MASKED]/-/jobs/5335232340#L24)af69f?, 0xc000161ec0?}, {0x87d840?, 0xc0000680[28](https://gitlab.com/[MASKED]/-/jobs/5335232340#L28)?}, {0x87d7c0?, 0xc0000680[30](https://gitlab.com/[MASKED]/-/jobs/5335232340#L30)?})
	/src/vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go:73 +0x85
github.com/docker/docker-credential-helpers/credentials.Serve({0x881e50?, 0xc0000100f0?})
	/src/vendor/github.com/docker/docker-credential-helpers/credentials/credentials.go:58 +0xee
main.main()
	/src/vendor/github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login/main.go:44 +0x154
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "[MASKED].dkr.ecr.[MASKED].amazonaws.com/[MASKED]:v0.[33](https://gitlab.com/[MASKED]/-/jobs/5335232340#L33).7": resolving authorization for [MASKED].dkr.ecr.[MASKED].amazonaws.com failed: error getting credentials - err: exit status 2, out: ``

@aaron-prindle
Copy link
Collaborator

aaron-prindle commented Oct 20, 2023
edited
Loading

@rdbisme and @csm-kb - thank you for flagging the issue here. I haven't had a chance to investigate this regression more deeply. Below is a list of all of the changes made from v1.16.0 - v1.17.0, likely one of these changes caused this regression IIUC. From this list it seems that this would likely be related to one of the updated deps, please add additional information/investigation if anyone in the thread here has a sense of what the root cause might be.

Docs, Test, and CI/CD Updates:

  • docs: fix readme sample typo #2792
  • docs: Update designdoc.md with correct link to skaffold repository #2775
  • ci: add automated way of cutting releases w/ generation of CHANGELOG.md Makefile changes #2786
  • ci: remove log line from listpullreqs.go and additional release.sh fixes #2790
  • ci: resolve issue with integration tests where lack of disk space caused k3s issues #2804
  • test: add test cases and docString for regex in COPY command #2773

Updates and Refactors:

  • chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.42 to 1.18.44 #2777
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.83 to 1.11.86 #2757
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.86 to 1.11.87 #2770
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.87 to 1.11.91 #2805
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.39.0 to 1.40.0 #2771
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.40.0 to 1.40.1 #2780
  • chore(deps): bump github.com/containerd/containerd from 1.7.6 to 1.7.7 #2797
  • chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 #2796
  • chore(deps): bump github.com/otiai10/copy from 1.12.0 to 1.14.0 #2772
  • chore(deps): bump github.com/spf13/afero from 1.9.5 to 1.10.0 #2758
  • chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 #2791
  • chore(deps): bump golang.org/x/oauth2 from 0.12.0 to 0.13.0 #2781
  • chore(deps): bump golang.org/x/sync from 0.3.0 to 0.4.0 #2798
  • chore(deps): bump google.golang.org/api from 0.141.0 to 0.142.0 #2756
  • chore(deps): bump google.golang.org/api from 0.142.0 to 0.143.0 #2769
  • chore(deps): bump google.golang.org/api from 0.143.0 to 0.145.0 #2778
  • refactor: Remove fallbackToUID bool option from Kaniko code #2767

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/authentication kind/bug Something isn't working priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. registry/ecr regression/v1.16.0 regression
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aaron-prindle @rdbisme @csm-kb