-
Bug
-
Resolution: Not A Defect
-
Minor
-
None
-
- Jenkins 2.46.2
- Amazon ECR plugin 1.6
I'm not able to push Docker images to Amazon ECR with Jenkins Pipeline, I always get
no basic auth credentials
I've added AWS credentials named `aws-jenkins` to Jenkins (tested locally and successfully pushed to AWS ECR)
Jenkinsfile:
stage("Docker") { dir(path) { docker.build("my-image:latest") } docker.withRegistry("https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com", "ecr:eu-central-1:aws-jenkins") { // debug sh "cat /root/.dockercfg" docker.image("my-image:latest").push() } }
Logs:
[Pipeline] withDockerRegistry
Wrote authentication to /root/.dockercfg
[Pipeline] {
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ cat /root/.dockercfg
{"https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": {
"auth": "[...]",
"email": "nobody@example.com"
}}[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker tag --force=true my-image:latest <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
Warning: '--force' is deprecated, it will be removed soon. See usage.
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker push <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
The push refers to a repository [<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image]
e30bf54e0f87: Preparing
b9f2c30c0d28: Preparing
5defc95691fd: Preparing
295d6a056bfd: Preparing
no basic auth credentials
[Pipeline] }
[Pipeline] // withDockerRegistry
I also tried with other AWS credentials and I always get no basic auth credentials error 
- duplicates
-
-
- Closed
-
- is related to
-
-
- Reopened
-
-
-
- Open
-
-
-
- Resolved
-
[JENKINS-44143] ECR plugin: no basic auth credentials
Cedric Thiebault
created issue -
I don't think the region is the problem, as I'm using eu-central-1 region for the authentication and push:
docker.withRegistry("https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com", "ecr:eu-central-1:aws-jenkins")
Or maybe when we define the AWS in Jenkins, it tries to authenticate first within the default us-east-1 region as I have this message:
These credentials are valid but do not have access to the "AmazonEC2" service in the region "us-east-1". This message is not a problem if you need to access to other services or to other regions. Message: "You are not authorized to perform this operation. (UnauthorizedOperation)"
I don't think that the token is expired as it never worked...
And finally, my Jenkins slave is running inside a Docker container so it can't be Windows related 
Is there a way to have more verbose log for this plugin?
Thanks for your help!
Cedric Thiebault
added a comment - - edited I don't think the region is the problem, as I'm using eu-central-1 region for the authentication and push:
docker.withRegistry( "https: //<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com" , "ecr:eu-central-1:aws-jenkins" )
Or maybe when we define the AWS in Jenkins, it tries to authenticate first within the default us-east-1 region as I have this message:
These credentials are valid but do not have access to the "AmazonEC2" service in the region "us-east-1" . This message is not a problem if you need to access to other services or to other regions. Message: "You are not authorized to perform this operation. (UnauthorizedOperation)"
I don't think that the token is expired as it never worked...
And finally, my Jenkins slave is running inside a Docker container so it can't be Windows related
Is there a way to have more verbose log for this plugin?
Thanks for your help! I tested this pipeline on core 1.625 with plugin 1.14 and it works, I will make a test with 2.46 and last versions of Pipeline plugins I will keep you posted
node {
env.DOCKER_CERT_PATH="/home/user/.docker/machine/machines/default"
env.DOCKER_HOST="tcp://192.168.99.100:2376"
env.DOCKER_MACHINE_NAME="default"
env.DOCKER_TLS_VERIFY="1"
stage 'Checkout'
git 'https://github.com/kuisathaverat/docker-simplesamlphp.git'
stage 'Docker build'
docker.build('ecr-test')
stage 'Docker push'
docker.withRegistry("https://MYID.dkr.ecr.us-east-1.amazonaws.com/", "ecr:us-east-1:A27a5746a-f9d9-4e68-ad8a-c5df772cac53") {
docker.image('ecr-test').push('latest')
}
}
Cedric Thiebault
added a comment - I tested with default region us-east-1 and I got the same error...
But in case it could help, we see in the logs that /root/.dockercfg contains 2 authentifications (eu-central-1 and us-east-1) :
[Pipeline] // stage [Pipeline] stage [Pipeline] { (Push latest) [Pipeline] withEnv [Pipeline] { [Pipeline] withDockerRegistry Wrote authentication to /root/.dockercfg [Pipeline] { [Pipeline] sh [docker-emotion-compilers] Running shell script + cat /root/.dockercfg { "https://<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com": { "auth": "[...]", "email": "nobody@example.com" }, "https://<my-aws-id>.dkr.ecr.us-east-1.amazonaws.com": { "auth": "[...]", "email": "nobody@example.com" } }[Pipeline] sh [docker-emotion-compilers] Running shell script + docker tag --force=true my-image:latest <my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image:latest Warning: '--force' is deprecated, it will be removed soon. See usage. [Pipeline] sh [docker-emotion-compilers] Running shell script + docker push <my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image:latest The push refers to a repository [<my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image] e30bf54e0f87: Preparing b9f2c30c0d28: Preparing 5defc95691fd: Preparing 295d6a056bfd: Preparing no basic auth credentials
Cedric Thiebault
added a comment - I tested with default region us-east-1 and I got the same error...
But in case it could help, we see in the logs that /root/.dockercfg contains 2 authentifications (eu-central-1 and us-east-1) :
[Pipeline] // stage
[Pipeline] stage
[Pipeline] { (Push latest)
[Pipeline] withEnv
[Pipeline] {
[Pipeline] withDockerRegistry
Wrote authentication to /root/.dockercfg
[Pipeline] {
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ cat /root/.dockercfg
{
"https: //<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com" : {
"auth" : "[...]" ,
"email" : "nobody@example.com"
},
"https: //<my-aws-id>.dkr.ecr.us-east-1.amazonaws.com" : {
"auth" : "[...]" ,
"email" : "nobody@example.com"
}
}[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker tag --force= true my-image:latest <my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image:latest
Warning: '--force' is deprecated, it will be removed soon. See usage.
[Pipeline] sh
[docker-emotion-compilers] Running shell script
+ docker push <my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image:latest
The push refers to a repository [<my-aws-id>.dkr.ecr.us-east-1.amazonaws.com/my-image]
e30bf54e0f87: Preparing
b9f2c30c0d28: Preparing
5defc95691fd: Preparing
295d6a056bfd: Preparing
no basic auth credentials
I'm having the same problem here.
I started with eu-central-1 too, but could replicate with us-east-1.
cthiebault the eu-central-1 entry in your .dockercfg is from previous runs, new credentials are added to the existing file.
sidenote: I'm successfully using the ecr-plugin in the same Jenkins instance with the same credentials in a traditional freestyle project.
Oliver H
added a comment - - edited I'm having the same problem here.
I started with eu-central-1 too, but could replicate with us-east-1.
cthiebault the eu-central-1 entry in your .dockercfg is from previous runs, new credentials are added to the existing file.
sidenote: I'm successfully using the ecr-plugin in the same Jenkins instance with the same credentials in a traditional freestyle project. Cedric Thiebault
made changes -
| Environment |
Original:
- Jenkins 2.46.2 - Amazon ECR plugin 1.4 |
New:
- Jenkins 2.46.2 - Amazon ECR plugin 1.6 |
I've updated to 1.6 version and I still have same error using Jenkinsfile but I also get it in a regular freestyle project
Here is the log for freestyle project:
Successfully built e5053a59f190
[docker-compilers] $ docker tag e5053a59f190 <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
[docker-compilers] $ docker inspect e5053a59f190
[docker-compilers] $ docker push <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:jessie
The push refers to a repository [<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image]
044e3cd6bd81: Preparing
6170631db5ee: Preparing
324428c1fd95: Preparing
8d4d1ab5ff74: Preparing
no basic auth credentials
Build step 'Docker Build and Publish' marked build as failure
Finished: FAILURE
Here is my job config:
Cedric Thiebault
added a comment - - edited I've updated to 1.6 version and I still have same error using Jenkinsfile but I also get it in a regular freestyle project
Here is the log for freestyle project:
Successfully built e5053a59f190
[docker-compilers] $ docker tag e5053a59f190 <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:latest
[docker-compilers] $ docker inspect e5053a59f190
[docker-compilers] $ docker push <my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image:jessie
The push refers to a repository [<my-aws-id>.dkr.ecr.eu-central-1.amazonaws.com/my-image]
044e3cd6bd81: Preparing
6170631db5ee: Preparing
324428c1fd95: Preparing
8d4d1ab5ff74: Preparing
no basic auth credentials
Build step 'Docker Build and Publish' marked build as failure
Finished: FAILURE
Here is my job config:
Cedric Thiebault
made changes -
| Attachment | New: ecr.png [ 38016 ] |
I have to test it but I think that it is related to docker-workflow plugin
Could you check this http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors-docker.html#error-403 ?