Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecr-login credential helper doesn't pass through AWS variables #656

Closed
ollypom opened this issue Oct 25, 2023 · 0 comments · Fixed by #510
Closed

ecr-login credential helper doesn't pass through AWS variables #656

ollypom opened this issue Oct 25, 2023 · 0 comments · Fixed by #510
Labels
bug Something isn't working

Comments

@ollypom
Copy link
Contributor

ollypom commented Oct 25, 2023

Describe the bug
If a user is using the ecr-login credential helper with Finch, AWS environment variables set outside of the VM are not passed through into the VM.

For example, lets say the user sets export AWS_PROFILE=personal in there terminal, expecting the credential helper to use that profile (as it would on Linux), however these variables are not passed through to nerdctl in the VM so finch push / pull will fail. My assumption is that Finch will therefore always use the default AWS credentials found in the /Users/<username>/.aws/config.

This may be fixed by #510

Steps to reproduce

$ export AWS_ACCOUNT_ID=111222333444
$ export AWS_REGION=eu-west-1
$ export AWS_PROFILE=personal

$ finch tag busybox:latest $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/nginx:latest
$ finch push --platform linux/arm64 $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/nginx:latest
FATA[0000] unexpected status from HEAD request to https://111222333444.dkr.ecr.eu-west-1.amazonaws.com/v2/nginx/blobs/sha256:fc9db2894f4e4b8c296b8c9dab7e18a6e78de700d21bc0cfaf5c78484226db9c: 403 Forbidden 
FATA[0000] exit status 1

Expected behavior
The AWS variables to be passed through into the VM.

Workarounds
Don't use the credential helper and do a manual finch login when you do not want to use the default AWS credentials.

$ export AWS_ACCOUNT_ID=111222333444
$ export AWS_REGION=eu-west-1
$ export AWS_PROFILE=personal

$ aws ecr get-login-password --region $AWS_REGION | finch login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com
WARNING: Your password will be stored unencrypted in /Users/<username>/.finch/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Or I suppose you could set the environment variables in /Applications/Finch/os/finch.yaml if you know the AWS variables are not going to be changed often.

To help debug the issue as quickly as possible, we recommend generating a support bundle with finch support-bundle generate and attaching it to this issue. This packages all Finch-related configs and logs into one file.
@ollypom ollypom added the bug Something isn't working label Oct 25, 2023
@pendo324 pendo324 mentioned this issue Oct 31, 2023
Merged
1 task
@pendo324 pendo324 linked a pull request Oct 31, 2023 that will close this issue
fix: ecr creds helper and credential_process #510
Merged
1 task
pendo324 added a commit that referenced this issue Oct 31, 2023
@pendo324
fix: ecr creds helper and credential_process (#510)
0525753 
Issue #, if available: #656

*Description of changes:*
- invoke `aws configure export-credentials --format process` before
running any commands that could need credentials (build, pull, push)
- Pass the results into the VM in the as environment variables if the
command returns output
- Not every user may have the AWS CLI on the correct version to have the
`export-credentials --format process command`, falls back to previous
behavior in this case

TODO: add tests for new function

*Testing done:*
  - local testing



- [x] I've reviewed the guidance in CONTRIBUTING.md


#### License Acceptance

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Signed-off-by: Justin Alvarez <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: ecr creds helper and credential_process pendo324/finch
1 participant
@ollypom