Comments (5)
I did some testing to simulate what happens in the login-action
Given this step below I will get the expected output (running on a self-hosted runner)
- uses: actions/github-script@v5
with:
script: |
await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
result-encoding: string
{
"UserId": "REDACTED:i-REDACTED",
"Account": "REDACTED",
"Arn": "arn:aws:sts::REDACTED:assumed-role/REDACTED/i-REDACTED"
}
Where as if I added the process.env vars as the login-action does here the step fails
- uses: actions/github-script@v5
with:
script: |
let username = ''
let password = ''
process.env.AWS_ACCESS_KEY_ID = username || process.env.AWS_ACCESS_KEY_ID;
process.env.AWS_SECRET_ACCESS_KEY = password || process.env.AWS_SECRET_ACCESS_KEY;
await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
result-encoding: string
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
Error: Unhandled error: Error: The process '/usr/local/bin/aws' failed with exit code 254
a simple change to how we set the env vars should resolve it
- uses: actions/github-script@v5
with:
script: |
let username = ''
let password = ''
if (username) {
process.env.AWS_ACCESS_KEY_ID = username;
}
if (password) {
process.env.AWS_SECRET_ACCESS_KEY = password;
}
await exec.getExecOutput(await io.which('aws', true), ['sts', 'get-caller-identity'])
result-encoding: string
Which will get me my EC2 credentials again :)
Created a PR #114
from login-action.
the action should not attempt to overwrite the env vars for AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in this case.
The environment variables are only overwritten if the username and password inputs are filled in.
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
env vars are wrong or not propagated to the action on your self-hosted runner.
from login-action.
I am also experiencing this issue with a self-hosted AWS EC2 running and using the AWS aws-actions/configure-aws-credentials@v1 for populating credentials.
Example Configuration
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: us-west-1
- name: Login to ECR
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY_URL }}
Action Debug Logs
##[debug]Evaluating condition for step: 'Login to ECR'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Login to ECR
##[debug]Register post job cleanup for action: docker/login-action@v1
##[debug]Loading inputs
##[debug]Evaluating: env.REGISTRY_URL
##[debug]Evaluating Index:
##[debug]..Evaluating env:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'REGISTRY_URL'
##[debug]=> '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Result: '***.dkr.ecr.us-west-1.amazonaws.com'
##[debug]Loading env
Run docker/login-action@v1
::save-state name=isPost::true
##[debug]Save intra-action state isPost = true
::save-state name=registry::***.dkr.ecr.us-west-1.amazonaws.com
##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-1.amazonaws.com
::save-state name=logout::true
##[debug]Save intra-action state logout = true
AWS ECR detected with us-west-1 region
Retrieving docker login command through AWS CLI 1.18.147 (/usr/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Login to ECR
from login-action.
I am also experiencing this issue with a self-hosted AWS EC2 running and using the AWS aws-actions/configure-aws-credentials@v1 for populating credentials.
Example Configuration
Action Debug Logs##[debug]Evaluating condition for step: 'Login to ECR' ##[debug]Evaluating: success() ##[debug]Evaluating success: ##[debug]=> true ##[debug]Result: true ##[debug]Starting: Login to ECR ##[debug]Register post job cleanup for action: docker/login-action@v1 ##[debug]Loading inputs ##[debug]Evaluating: env.REGISTRY_URL ##[debug]Evaluating Index: ##[debug]..Evaluating env: ##[debug]..=> Object ##[debug]..Evaluating String: ##[debug]..=> 'REGISTRY_URL' ##[debug]=> '***.dkr.ecr.us-west-1.amazonaws.com' ##[debug]Result: '***.dkr.ecr.us-west-1.amazonaws.com' ##[debug]Loading env Run docker/login-action@v1 ::save-state name=isPost::true ##[debug]Save intra-action state isPost = true ::save-state name=registry::***.dkr.ecr.us-west-1.amazonaws.com ##[debug]Save intra-action state registry = ***.dkr.ecr.us-west-1.amazonaws.com ::save-state name=logout::true ##[debug]Save intra-action state logout = true AWS ECR detected with us-west-1 region Retrieving docker login command through AWS CLI 1.18.147 (/usr/bin/aws)... Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid. ##[debug]Node Action run completed with exit code 1 ##[debug]Finishing: Login to ECR
I've just realised that it must be using an outdated version of the AWS CLI 1.18.147 which comes pre-installed on my self-hosted running.
I will try and upgrade the AWS CLI version as a workaround.
UPDATE:
Despite the upgrade I am still seeing this issue:
Retrieving docker login command through AWS CLI 2.2.1 (/usr/local/bin/aws)...
Error: An error occurred (UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
from login-action.
I'm running into the same issue.
Can you give me the complete output of the action please? Some logs are missing (like AWS cli version used). Also looking at the error it looks like
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
env vars are wrong or not propagated to the action on your self-hosted runner.
If the self hosted running is using an IAM role then these environment variables would not be set as the EC2 should reuse the IAM role for authentication, no ?
from login-action.
Related Issues (20)
- Action raise warnings on deprecated features HOT 1
- Error getting credentials and error saving credentials HOT 1
- Support multi-user login HOT 1
- Request to bump dependencies HOT 1
- Usage with registry.hop.io
- docker login failure on macos self hosted runner HOT 2
- Public ECR login issue on Windows
- Harbor login issue: authentication required HOT 4
- It always fails While logining local-deployment Nexus HOT 1
- Login issue , secrate checked , not able to push to github registry , token working in local so not token issu HOT 1
- failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden HOT 3
- Support FIPS URLs HOT 2
- Support for DigitalOcean Container Registry HOT 2
- tls: failed to verify certificate: x509: certificate signed by unknown authority HOT 4
- Succefull registry login, but I'm getting x509 error during build. HOT 1
- Clarified documentation re: GAR + Workflow Identity Federation
- Support login via Direct Workload Identity Federation HOT 5
- Fhcc HOT 2
- Fvv
- login-action step fails in Github pull request checks HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from login-action.