Behaviour I am using self-hosted runners with an IAM role attached

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

I'm running into the same issue. <a class="user-mention notranslate"

Login doesn't support using EC2 instance credentials with ECR login about login-action HOT 5 CLOSED

docker commented on May 23, 2024 2

from login-action.

Comments (5)

Flydiverny commented on May 23, 2024 1

I did some testing to simulate what happens in the login-action

Given this step below I will get the expected output (running on a self-hosted runner)

      - uses: actions/github-script@v5
        with:
          script: |
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

{
    "UserId": "REDACTED:i-REDACTED",
    "Account": "REDACTED",
    "Arn": "arn:aws:sts::REDACTED:assumed-role/REDACTED/i-REDACTED"
}

Where as if I added the process.env vars as the login-action does here the step fails

      - uses: actions/github-script@v5
        with:
          script: |
            let username = ''
            let password = ''
            process.env.AWS_ACCESS_KEY_ID = username || process.env.AWS_ACCESS_KEY_ID;
            process.env.AWS_SECRET_ACCESS_KEY = password || process.env.AWS_SECRET_ACCESS_KEY;
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
Error: Unhandled error: Error: The process '/usr/local/bin/aws' failed with exit code 254

a simple change to how we set the env vars should resolve it

      - uses: actions/github-script@v5
        with:
          script: |
            let username = ''
            let password = ''
            if (username) {
              process.env.AWS_ACCESS_KEY_ID = username;
            }
            if (password) {
              process.env.AWS_SECRET_ACCESS_KEY = password;
            }
            await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
          result-encoding: string

Which will get me my EC2 credentials again :)

Created a PR #114

from login-action.

crazy-max commented on May 23, 2024

@jkasarherou

the action should not attempt to overwrite the env vars for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in this case.

The environment variables are only overwritten if the username and password inputs are filled in.

Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars are wrong or not propagated to the action on your self-hosted runner.

from login-action.

spatel96 commented on May 23, 2024

I am also experiencing this issue with a self-hosted AWS EC2 running and using the AWS aws-actions/configure-aws-credentials@v1 for populating credentials.

Example Configuration

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: us-west-1
          
      - name: Login to ECR
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY_URL }}

Action Debug Logs

##[debug]Evaluating condition for step: 'Login to ECR'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Login to ECR
##[debug]Register post job cleanup for action: docker/login-action@v1
##[debug]Loading inputs
##[debug]Evaluating: env.REGISTRY_URL
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'REGISTRY_URL'
##[debug]=> '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Result: '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Loading env
Run docker/login-action@v1
::save-state name=isPost::true
##[debug]Save intra-action state isPost = true
::save-state name=registry::***.dkr.ecr.us-west-1.amazonaws.com
##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-1.amazonaws.com
::save-state name=logout::true
##[debug]Save intra-action state logout = true
AWS ECR detected with us-west-1 region
Retrieving docker login command through AWS CLI 1.18.147 (/usr/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Login to ECR

from login-action.

spatel96 commented on May 23, 2024

I am also experiencing this issue with a self-hosted AWS EC2 running and using the AWS aws-actions/configure-aws-credentials@v1 for populating credentials.

Example Configuration
Action Debug Logs

##[debug]Evaluating condition for step: 'Login to ECR'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Login to ECR
##[debug]Register post job cleanup for action: docker/login-action@v1
##[debug]Loading inputs
##[debug]Evaluating: env.REGISTRY_URL
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'REGISTRY_URL'
##[debug]=> '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Result: '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Loading env
Run docker/login-action@v1
::save-state name=isPost::true
##[debug]Save intra-action state isPost = true
::save-state name=registry::***.dkr.ecr.us-west-1.amazonaws.com
##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-1.amazonaws.com
::save-state name=logout::true
##[debug]Save intra-action state logout = true
AWS ECR detected with us-west-1 region
Retrieving docker login command through AWS CLI 1.18.147 (/usr/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Login to ECR

I've just realised that it must be using an outdated version of the AWS CLI 1.18.147 which comes pre-installed on my self-hosted running.

I will try and upgrade the AWS CLI version as a workaround.

UPDATE:

Despite the upgrade I am still seeing this issue:

Retrieving docker login command through AWS CLI 2.2.1 (/usr/local/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.

from login-action.

nitrocode commented on May 23, 2024

I'm running into the same issue.

@crazy-max

Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env vars are wrong or not propagated to the action on your self-hosted runner.

If the self hosted running is using an IAM role then these environment variables would not be set as the EC2 should reuse the IAM role for authentication, no ?

from login-action.

Login doesn't support using EC2 instance credentials with ECR login about login-action HOT 5 CLOSED

Comments (5)

UPDATE:

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent