Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44143

ECR plugin: no basic auth credentials

XMLWordPrintable

      I'm not able to push Docker images to Amazon ECR with Jenkins Pipeline, I always get 
      no basic auth credentials

      I've added AWS credentials named `aws-jenkins` to Jenkins (tested locally and successfully pushed to AWS ECR)

      Jenkinsfile:

      stage("Docker") {
  dir(path) {
    docker.build("my-image:latest")
  }
  docker.withRegistry("https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com", "ecr:eu-central-1:aws-jenkins") {
    // debug
    sh "cat /root/.dockercfg" 
    docker.image("my-image:latest").push()
  }
}

       

      Logs:

      [Pipeline] withDockerRegistry
Wrote authentication to /root/.dockercfg
[Pipeline] {
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ cat /root/.dockercfg
{"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {
"auth": "[...]",
"email": "nobody@example.com"
}}[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker tag --force=true my-image:latest <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
Warning: '--force' is deprecated, it will be removed soon. See usage.
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker push <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
The push refers to a repository [<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image]
e30bf54e0f87: Preparing
b9f2c30c0d28: Preparing
5defc95691fd: Preparing
295d6a056bfd: Preparing
no basic auth credentials
[Pipeline] }
[Pipeline] // withDockerRegistry

       

      I also tried with other AWS credentials and I always get no basic auth credentials error  

        1. ecr.png
          ecr.png
          48 kB
        2. ecr2.log
          20 kB

          [JENKINS-44143] ECR plugin: no basic auth credentials

          Ivan Fernandez Calvo added a comment -

          The token it is generated correctly, It is failing on the docker.withregistry step, I am gonna check how to troubleshooting this

           

          Jun 19, 2017 12:38:25 PM FINE com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential
Success

          Ivan Fernandez Calvo added a comment - The token it is generated correctly, It is failing on the docker.withregistry step, I am gonna check how to troubleshooting this   Jun 19, 2017 12:38:25 PM FINE com.cloudbees.jenkins.plugins.amazonecr.AmazonECSRegistryCredential Success

          Ivan Fernandez Calvo added a comment -

          you have to check the token in $HOME/.dockercfg with the token on the logs to be sure that it is the same, Which Docker CLI version you use?
          + cat /root/.dockercfg
          {"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {"auth": "[...]","email": "nobody@example.com"}}
           

          Ivan Fernandez Calvo added a comment - you have to check the token in $HOME/.dockercfg with the token on the logs to be sure that it is the same, Which Docker CLI version you use? + cat /root/.dockercfg {"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {"auth": " [...] ","email": "nobody@example.com"}}  

          Cedric Thiebault added a comment - - edited 
          $ docker -v
Docker version 17.03.1-ce, build c6d412e
          $ cat .dockercfg
{
"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {
"auth": "xxx",
"email": "nobody@example.com"}
}

          Cedric Thiebault added a comment - - edited $ docker -v Docker version 17.03.1-ce, build c6d412e $ cat .dockercfg { "https: //<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com" : { "auth" : "xxx" , "email" : "nobody@example.com" } }

          Even André Fiskvik added a comment -

          I tried both setting `env.AWS_ECR_LOGIN = true` and `env.AWS_ECR_DISABLE_CACHE = true` but still got the message

          `Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.`

          Had to delete the `~/.dockercfg` file to get it working.

          Even André Fiskvik added a comment - I tried both setting `env.AWS_ECR_LOGIN = true` and `env.AWS_ECR_DISABLE_CACHE = true` but still got the message `Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one.` Had to delete the `~/.dockercfg` file to get it working.

          James Heggs added a comment -

          Same experience here setting the suggested environment variables.

          I'm unsure as to why the issue is closed whilst a fix hasn't been agreed/documented?

          James Heggs added a comment - Same experience here setting the suggested environment variables. I'm unsure as to why the issue is closed whilst a fix hasn't been agreed/documented?

          Ivan Fernandez Calvo added a comment -

          eggsy1984 This issue is closed because it is not related to ECR Plugin, it does not save anything to disk or interact with docker,  ECR Plugin only accesses to Amazon ECR to request a token to create a virtual credential on Jenkins, This issue could be related with docker or to docker-workflow-plugin dunno

          Ivan Fernandez Calvo added a comment - eggsy1984  This issue is closed because it is not related to ECR Plugin, it does not save anything to disk or interact with docker,  ECR Plugin only accesses to Amazon ECR to request a token to create a virtual credential on Jenkins, This issue could be related with docker or to docker-workflow-plugin dunno

          James Heggs added a comment -

          No problem ifernandezcalvo thank you for the clarification

          James Heggs added a comment - No problem ifernandezcalvo thank you for the clarification

          Tom Manterfield added a comment -

          Just wanted to leave a note here for anyone stumbling across this whilst trying to debug. I had the same problem and chased it down to how the docker-commons plugin uses docker configs. It seems that it will only use/save to the newer .docker/config.json if it already exists, otherwise it saves auths to the .dockercfg file (which is then ignored depending on your docker version/setup).

          I had to add both the environment variable DOCKER_CONFIG=$JENKINS_HOME/.docker and create a stub config.json file with the content '{"auths":{}}' within that DOCKER_CONFIG dir. Once I did both of these things, it all worked perfectly.

          Tom Manterfield added a comment - Just wanted to leave a note here for anyone stumbling across this whilst trying to debug. I had the same problem and chased it down to how the docker-commons plugin uses docker configs. It seems that it will only use/save to the newer .docker/config.json if it already exists, otherwise it saves auths to the .dockercfg file (which is then ignored depending on your docker version/setup). I had to add both the environment variable DOCKER_CONFIG=$JENKINS_HOME/.docker and create a stub config.json file with the content '{"auths":{}}' within that DOCKER_CONFIG dir. Once I did both of these things, it all worked perfectly.

          Peter Brunner added a comment -

          tictocs a question for you, if you will. I too ran into this problem and noticed that the $JENKINS_HOME that this ECR plugin runs with differed from the $JENKINS_HOME that the docker plugin used. This essentially caused the config.json to be written to one place while docker looked in another. Was this the case for you too?

          Peter Brunner added a comment - tictocs  a question for you, if you will. I too ran into this problem and noticed that the $JENKINS_HOME that this ECR plugin runs with differed from the $JENKINS_HOME that the docker plugin used. This essentially caused the config.json to be written to one place while docker looked in another. Was this the case for you too?

          Ivan Fernandez Calvo added a comment -

          I forgot to put this workaround here, this removes the docker credentials before create new ones from Amazon ECR

          node {
        //cleanup current user docker credentials
        sh 'rm  ~/.dockercfg || true'
        sh 'rm ~/.docker/config.json || true'
        
        //configure registry
        docker.withRegistry('https://ID.ecr.eu-west-1.amazonaws.com', 'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a') {
          
            //build image
            def customImage = docker.build("my-image:${env.BUILD_ID}")
            
            //push image
            customImage.push()
        }

          Ivan Fernandez Calvo added a comment - I forgot to put this workaround here, this removes the docker credentials before create new ones from Amazon ECR node { //cleanup current user docker credentials sh 'rm ~/.dockercfg || true ' sh 'rm ~/.docker/config.json || true ' //configure registry docker.withRegistry( 'https: //ID.ecr.eu-west-1.amazonaws.com' , 'ecr:eu-west-1:86c8f5ec-1ce1-4e94-80c2-18e23bbd724a' ) { //build image def customImage = docker.build( "my-image:${env.BUILD_ID}" ) //push image customImage.push() }

            ifernandezcalvo Ivan Fernandez Calvo
            cthiebault Cedric Thiebault
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: