Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-34958

Getting "Your Authorization Token has expired" when using ECR credentials

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Blocker
    • Resolution: Fixed
    • amazon-ecr-plugin
    • None
    • Jenkins 2.4
      Docker Build and Publish plugin 1.2.2 (+ PR #41)

    Description

      In an attempt to start moving away from our self-hosted Docker Registry. I came across this plugin to make it easier to push to Amazon ECR. And after a (fairly) quick fix of the Docker Build and Publish plugin. Time had come to make that happen.

      But instead I am getting the this error when it attempt to push. So something is wrong.

      The push refers to a repository [somerepo.dkr.ecr.eu-west-1.amazonaws.com/imagename]
      1b29323a75d2: Preparing
      5bf87793f977: Preparing
      5ccb950f635d: Preparing
      965c3fc60463: Preparing
      f354df03c5c3: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      9523ecdf69b1: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      6d7b4f405a28: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      099efa904cb9: Preparing
      8f83f19c7186: Preparing
      1621d30a7846: Preparing
      e989ce4ed35e: Preparing
      ae30a2e42fe4: Preparing
      461f75075df2: Preparing
      5f70bf18a086: Preparing
      5f70bf18a086: Preparing
      6d7b4f405a28: Waiting
      099efa904cb9: Waiting
      8f83f19c7186: Waiting
      1621d30a7846: Waiting
      e989ce4ed35e: Waiting
      ae30a2e42fe4: Waiting
      461f75075df2: Waiting
      5f70bf18a086: Waiting
      9523ecdf69b1: Waiting
      f354df03c5c3: Image push failed
      f354df03c5c3: Image push failed
      461f75075df2: Waiting
      ae30a2e42fe4: Waiting
      e989ce4ed35e: Waiting
      1621d30a7846: Waiting
      8f83f19c7186: Waiting
      099efa904cb9: Waiting
      6d7b4f405a28: Waiting
      9523ecdf69b1: Waiting
      5f70bf18a086: Waiting
      Error parsing HTTP response: invalid character 'Y' looking for beginning of value: "Your Authorization Token has expired. Please run 'aws ecr get-login' to fetch a new one."
      Build step 'Docker Build and Publish' marked build as failure
      

      In the panel for updating the credentials I also get the message:

      These credentials are valid but do not have access to the "AmazonEC2" service in the region "us-east-1". This message is not a problem if you need to access to other services or to other regions. Message: "You are not authorized to perform this operation. (UnauthorizedOperation)"

      But I am using the AWS Managed policy "AmazonEC2ContainerRegistryPowerUser" to grant Jenkins access. And should pretty much have full access to all the ECR calls it needs. We do use it in 'eu-west-1' though. But the warning clearly states not to worry about it if we are not in that region.

      Attachments

        Issue Links

          Activity

            This is also preventing us from moving forward with this plugin. We are in us-west-2. Is there any timeline at all for this? It would greatly help to know so we can either wait or move on to other solutions.

            Thanks

            davidfic_cybric david ficociello added a comment - This is also preventing us from moving forward with this plugin. We are in us-west-2. Is there any timeline at all for this? It would greatly help to know so we can either wait or move on to other solutions. Thanks
            ajtrichards Alex Richards added a comment -

            Hi davidfic_cybric, modeengage,

            We managed to resolve this problem, after almost 3 weeks of conversation with AWS Support, by using the ecr-credential-helper.

            You can find the helper and documentation here: https://github.com/awslabs/amazon-ecr-credential-helper

            Good Luck!

            ajtrichards Alex Richards added a comment - Hi davidfic_cybric , modeengage , We managed to resolve this problem, after almost 3 weeks of conversation with AWS Support, by using the ecr-credential-helper. You can find the helper and documentation here: https://github.com/awslabs/amazon-ecr-credential-helper Good Luck!

            When this patch is going to be released? This is a blocking issue for our company.

            ecentinela Javier Martínez added a comment - When this patch is going to be released? This is a blocking issue for our company.
            deeboh CL W added a comment - - edited

            Hi guys, i've found that adding the --region $region_name to the aws ecr get-login command fixed a similar issue. would it be possible to add --region to the plugin and deploy. You can see this usage from the AWS - ECS Console click your repository link. Then click the "View Push Command" button. It shows the use of the --region option. Is this being used by the ECR Jenkins plugin?

            Although i'm not completely convinced this is just a problem with this plugin. prior to today the plugin worked fine. However I upgraded my AWSCLI client to the latest version as well today (for some stupid reason) and now this plugin doesn't work.

            #annoying

            deeboh CL W added a comment - - edited Hi guys, i've found that adding the --region $region_name to the aws ecr get-login command fixed a similar issue. would it be possible to add --region to the plugin and deploy. You can see this usage from the AWS - ECS Console click your repository link. Then click the "View Push Command" button. It shows the use of the --region option. Is this being used by the ECR Jenkins plugin? Although i'm not completely convinced this is just a problem with this plugin. prior to today the plugin worked fine. However I upgraded my AWSCLI client to the latest version as well today (for some stupid reason) and now this plugin doesn't work. #annoying

            Give setting this env a try, AWS_ECR_DISABLE_CACHE. It causes the plugin to not use the local cache.

            Source, https://github.com/awslabs/amazon-ecr-credential-helper/pull/3

            catufunwa Chima Atufunwa added a comment - Give setting this env a try, AWS_ECR_DISABLE_CACHE. It causes the plugin to not use the local cache. Source, https://github.com/awslabs/amazon-ecr-credential-helper/pull/3

            People

              ifernandezcalvo Ivan Fernandez Calvo
              kristoffer Kristoffer Peterhänsel
              Votes:
              11 Vote for this issue
              Watchers:
              26 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: