Doesn't work with AWS SSO #229
Comments
|
i assume you did |
|
@FernandoMiguel yes i did and i can pull the images if i manually login to docker. |
|
Not everything can read the credential store that SSO uses, which is a bunch of JSON files in Maybe try this small util I wrote that does an SSO login and copies the credentials into your "normal" |
|
The solution I use with other applications that do not yet natively support AWS SSO is an external However, this doesn't currently work with This is because the output from the credential process is longer than 1024 characters, but the max buffer size was only increased in aws-sdk-go v1.25.42. Until proper SSO support is added here, it would be great to bump the SDK version to allow use of |
|
This issue is becoming more important with the release of the latest version of docker v2.4.0. There seems to be a limit of 2500 characters on the auth token that makes the |
It's not a solution in all situations but for those looking for a workaround for trying to push from a local computer the following might work:
|
|
For those that need to support many teams with this, I've created a temporary workaround credential helper. It's working with our teams with AWS SSO, but it's definitely not the "secure" solution. Our tokens only live for 4 hours though, so the security window is fairly small. I'd definitely prefer that other credential helpers step up and resolve the issue in a more secure fashion. |
|
@dougrday . Your solution is the only one that worked for me. I understand the risk of exposing the password for a short period of time. That said, it is the only workaround until other credential helpers solve this issue. |
|
I @otaviomedeirossb, as already stated, AWS CLI v2 will write AWS SSO temporary credentials under ~/.aws/cli/cache folder, which in many cases ends up to a "credentials not found" issue. I'm currently working on an open source project that addresses this problem too. Indeed, it provides support to AWS SSO and lists you all the IAM Roles that your AWS SSO User can access. By clicking a session card associated with a IAM Role, Leapp will generate temporary credentials to access your AWS Organization's Account, inside ~/.aws/credentials file. Let me know if it makes sense to you and if you have questions about it. |
|
I've also taken a stab at this, and ended up with something that doesn't rely on node and doesn't store temp credentials anywhere*. It's working well for me, and hopefully it's of some value to the rest of you as well. https://github.com/TylerLubeck/docker-credentials-aws-ecr-sso *Not to say that these things are bad, they just don't fit for my use case |
I can confirm this particular issue with As for native support of SSO I imagine this is stalled until something like this: aws/aws-sdk-go#3610 is merged to the SDK, then it will Just Work™ with another SDK upgrade because it seems it'll be part of the default profile credential parser. Also, sidebar - it seems that Docker Desktop for Mac is overwriting /usr/local/bin/docker-credential-ecr-login when the application is started, which is seemingly terrible and and they should feel bad for doing that. So that's also a mess 🤸 |
|
Now that aws/aws-sdk-go#3610 has merged and is released as part of aws-sdk-go v1.37.0+, when will this dependency be upgraded in the project? Currently it is v1.36.0, and while there are significant changes the aws-sdk-go CHANGELOG.md doesn't appear to immediately call out risks for this project. This is one of the final tools we rely on to formally adopt the native AWS SSO credential protocol for us to deprecate our custom shim scripts. |
|
I was wondering if a release is planned in the next coming weeks :) This is also one of the last tools I need for AWS SSO adoption. For now I guess I will build it from source, but a release would be better! |
|
For anyone wandering in from Google, I can confirm that #267 fixes this for me after building from source. |
|
hi @tristanpemble is there a new release of this with that fix or you have to build from source? |
|
Last release, Feb 15th, date of the MR that fixes this, Feb 22nd. Yup, you still have to build from source. |
|
thanks @awilkins sad anyone here able to kick off a release and get it on brew? |
|
Seconding (Nth-ing?) the request for a homebrew release with this change included 🙏 |
|
we use Nix here. in the off chance that you are also using Nix, here is the overlay that we use: self: super:
{
amazon-ecr-credential-helper = super.amazon-ecr-credential-helper.overrideAttrs(old: {
src = super.fetchFromGitHub {
owner = "awslabs";
repo = "amazon-ecr-credential-helper";
rev = "efd1603705e91c31bf28cbbc5dba8c3e09c63100";
sha256 = "sha256:0d2nc4rl0pl3mspvavxixa6lsjnnx5g05srpw1f68wqbj0vb7kd1";
};
});
} |
|
This is still a problem for Homebrew users as the current formula is pinned at 0.5.0 (b19192b). |
|
It looks like the Homebrew formula is updated now. In my case, I had to force-link it after installing, to overwrite the
After all of the above, I was able to painlessly pull images from ECR again. |
|
I am using What am I missing? 🤔 My dockerconfig is: |
|
@gautam-nutalapati make sure that you are setting environment variable |
|
I tried this, but unfortunately same thing |
|
Let us take a look this week. |
|
@gautam-nutalapati I had the same problem as you reported. |
|
Same problem here, setting AWS_PROFILE= doesn't work aswell. I tried many different combinations and the credential helper did not work. |
|
Does your IAM user have |
|
@matuszeman yes, I have the permsision GetAuhtorizationToken permission. I noticed a log file inside .ecr folder with this line that might help:
|
|
This command works ❯ aws ecr get-login-password --region ap-east-1 --profile myprofile | docker login --username AWS --password-stdin XXX.dkr.ecr.ap-east-1.amazonaws.com
❯ docker push XXX.dkr.ecr.ap-east-1.amazonaws.com/my-ecr-repo:latest
The push refers to repository [XXX.dkr.ecr.ap-east-1.amazonaws.com/my-ecr-repo]
370e6XXXXXXX: Pushed
latest: digest: sha256:XXXXXXXXXX size: 1987But this don't, is there anyone has similar problem? ❯ AWS_PROFILE=myprofile docker push XXX.dkr.ecr.ap-east-1.amazonaws.com/my-ecr-repo:latest
The push refers to repository [XXX.dkr.ecr.ap-east-1.amazonaws.com/my-ecr-repo:latest
370e6XXXXXXX: Preparing
no basic auth credentials
❯ cat ~/.ecr/log/ecr-login.log
time="2023-02-02T10:48:11+08:00" level=debug msg="Could not fetch credentials for cache prefix, disabling cache" error="the SSO session has expired or is invalid: open /Users/me/.aws/sso/cache/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX.json: no such file or directory"
time="2023-02-02T10:48:11+08:00" level=debug msg="Retrieving credentials" region=ap-east-1 registry=XXX serverURL=XXX.dkr.ecr.ap-east-1.amazonaws.com service=ecr
time="2023-02-02T10:48:11+08:00" level=debug msg="Calling ECR.GetAuthorizationToken" registry=XXX
time="2023-02-02T10:48:11+08:00" level=error msg="Error retrieving credentials" error="ecr: Failed to get authorization token: operation error ECR: GetAuthorizationToken, failed to sign request: failed to retrieve credentials: the SSO session has expired or is invalid: open /Users/me/.aws/sso/cache/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX.json: no such file or directory" |
|
Yes. I can reproduce. |
|
FYI, SSO-related issues seem to be gone in a new binary version (077b4a9), which can be built manually from the sources. Not sure why new releases are not posted for such a long time already |
Thanks for the heads-up @vtatarin. I've had a few issues with SSO bugs in my team. @samuelkarp @austinvazquez I noticed you have changed I'd love to see the newer version with bugfixes released. This is what I see locally; my credentials helper is packaged with with docker and pinned at 0.6.0: |
@gondalez I no longer work at Amazon. |
|
Thanks! I've wasted half a day on trying to fix this, until I ended up here... Installing from source did the job: |
|
@gondalez thanks for the interest in the project and the feedback. As others have noted building from main will help the immediate pain. That said let me bring this up with the team to see about an updated release with these fixes. |
|
Special thanks to @fangn2 who worked to push this through. v0.7.0 is available with fix for the issue. |
|
Ran into the same issue. Solved by installing from source per the README and also explicitly setting AWS_PROFILE. Is there a way for the helper to use the default profile if AWS_PROFILE is not specified ? It's a bit annoying to manually specify the profile. |
|
Works for one day once creds expire it breaks. Guess no longer supported properly by AWS. Back to unsecure ways of doing things until something stable comes along. Tried everything posted here including the profile and updating from go, rming files under .ecr and .aws/credentials |
|
@paminhoff I wonder if you need to do a I am using the latest aws credentials helper and it works with aws sso go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@latest
sudo cp $GOPATH/bin /usr/bin/.This is my {
"credHelpers": {
"<aws-user-id>.dkr.ecr.<aws-cli-region>.amazonaws.com": "ecr-login"
}
} |
and others
I'm trying to make it work with AWS SSO but i'm getting
NoCredentialProviders.I used
aws configure ssoto create a profile on my local machine and i can manuallydocker loginand pull images from ECR like this:My
~/.aws/configlooks something like:Nothing was added to
~/.aws/credentials.I logged out docker, installed
docker-credential-helper-ecrand set:~/.docker/config.json
and:
When i:
I get:
It works fine on another AWS account which is not SSO and i have my access keys set to
~/.aws/credentials.Does it work with AWS SSO somehow?
The text was updated successfully, but these errors were encountered: