Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when upgrading to the aws-cli orb 4.1.2 #316

Open
mattbasta opened this issue Jan 2, 2024 · 2 comments
Open

Error when upgrading to the aws-cli orb 4.1.2 #316

mattbasta opened this issue Jan 2, 2024 · 2 comments
Assignees
@brivu
Labels
bug Something isn't working

Comments

@mattbasta
Copy link

Orb version

9.0.1

What happened

When using aws-cli 4.1.1, I'm able to build my image with this step:

      - aws-ecr/build_and_push_image:
          account_id: 'xxxxxxx'
          auth:
            - aws-cli/setup:
                role_arn: 'arn:aws:iam::xxxxxxx:role/xxxxxxx-circleci'
                role_session_name: 'xxxxxxx'
          public_registry: false
          platform: linux/arm64
          region: 'us-east-1'
          repo: 'xxxxxxx'
          tag: 'xxxxxxx-$CIRCLE_SHA1'

With 4.1.1, the "Log into Amazon ECR with profile default" step prints this and exits successfully:

Removing login credentials for xxxxxxx.dkr.ecr.us-east-1.amazonaws.com
WARNING! Your password will be stored unencrypted in /home/circleci/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

However, if I upgrade to 4.1.2, I get

Removing login credentials for xxxxxxx.dkr.ecr.us-east-1.amazonaws.com

An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::xxxxxxx:user/xxxxxxx is not authorized to perform: ecr:GetAuthorizationToken on resource: * because no identity-based policy allows the ecr:GetAuthorizationToken action
Error: Cannot perform an interactive login from a non TTY device

Exited with code exit status 1

and the build fails.

Expected behavior

Between versions of aws-cli, there should not have been a change in behavior.
@mattbasta mattbasta added the bug Something isn't working label Jan 2, 2024
@brivu brivu self-assigned this Jan 25, 2024
@brivu
Copy link
Contributor

brivu commented Jan 25, 2024

Hey @mattbasta,

I've tried this on my end similar to your job:

version: 2.1
orbs:
  aws-cli: circleci/aws-cli@4.1.2
jobs:
      - aws-ecr/build_and_push_image:
          auth:
            - aws-cli/setup:
                role_arn: arn:aws:iam::122211685980:role/CPE_ECR_OIDC_TEST
                role_session_name: Test-aws-cli-4.1.2
          repo: aws-ecr-orb-${CIRCLE_SHA1:0:7}-build-test-then-push-with-buildx
          create_repo: true
          context: [CPE-OIDC]
          dockerfile: sample/Dockerfile
          platform: linux/arm64

I am able to log in successfully in this job:

image

Can you give me some more details about your job so we can debug this further?

@mattbasta
Copy link
Author

Hey @brivu, our config is quite large and has lots of details. I'm not sure that I have a more minimal version handy. I can provide the policy on the role if that would be helpful?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brivu brivu

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mattbasta @brivu