Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Role arn not read from profile in config when using config file with web_identity_token_file #2469

Closed
imcdo opened this issue Jan 26, 2024 · 7 comments
Closed

Role arn not read from profile in config when using config file with web_identity_token_file #2469

imcdo opened this issue Jan 26, 2024 · 7 comments
Assignees
@RanVaknin
Labels
closed-for-staleness

Comments

@imcdo
Copy link

imcdo commented Jan 26, 2024
edited
Loading

Describe the bug

When using amazon-ecr-credential-helper to pull from ECR, it fails to pull credentials from the default profile with the following stack trace:

Unable to find image '<account>.dkr.ecr.us-west-2.amazonaws.com/<image>' locally 37:21
panic: role ARN is not set 37:21
goroutine 1 [running]: 37:21
github.com/awslabs/amazon-ecr-credential-helper/ecr-login/api.DefaultClientFactory.NewClientFromRegion({}, {0xc00002bf9d?, 0x0?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/[email protected]/api/factory.go:84 +0x190 37:21
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login.ECRHelper.Get({{0x8aa120?, 0xb28ba0?}, 0xaf2cc0?}, {0xc000028f30, 0x2c}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/[email protected]/ecr.go:101 +0x113 37:21
 github.com/docker/docker-credential-helpers/credentials.Get({0x8a9d30, 0xc000012108}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0, 0xc00005e030}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/[email protected]/credentials/credentials.go:154 +0x1fa 37:21
 github.com/docker/docker-credential-helpers/credentials.HandleCommand({0x8a9d30?, 0xc000012108?}, {0x7ffc942bad3e, 0x3}, {0x8a4e40?, 0xc00005e028?}, {0x8a4dc0?, 0xc00005e030?}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/[email protected]/credentials/credentials.go:96 +0x97 37:21
 github.com/docker/docker-credential-helpers/credentials.Serve({0x8a9d30, 0xc000012108}) 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/docker/[email protected]/credentials/credentials.go:80 +0x325 37:21
 main.main() 37:21
 	/home/semaphore/git/go/1.21.5/pkg/mod/github.com/awslabs/amazon-ecr-credential-helper/[email protected]/cli/docker-credential-ecr-login/main.go:52 +0x154 37:21
 docker: Error response from daemon: Head "https://<accoun>.dkr.ecr.us-west-2.amazonaws.com/v2/<image>": no basic auth credentials.

The default profile in the ~/.aws/config file is simply:

[profile default]
role_arn = arn:aws:iam::<account>:role/<role-name>
web_identity_token_file=<absolute path to existing token>

the panic originally coming from this projects call here.

eventually throwing the error here

Expected Behavior

It reads the default profile as it was not specified in the environment variables, and reads the role name specified there.

Current Behavior

It fails to find the specified role name even though it is specified in the config.

Reproduction Steps

  1. create a .aws/config file that has a default profile that assumes a role via a web_identity_token_file
  2. configure docker to use amazon-ecr-credential-helper
  3. attempt to pull an image

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

v1.26.3 for config

https://github.com/awslabs/amazon-ecr-credential-helper/blob/88cfadc80e8fe02f840937a6f9a638991f9e54f8/ecr-login/go.mod#L5-L15

Compiler and Version used

Operating System and version

Ubuntu 20.04
@imcdo imcdo added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 26, 2024
@RanVaknin RanVaknin self-assigned this Jan 30, 2024
@RanVaknin RanVaknin removed the needs-triage This issue or PR still needs to be triaged. label Jan 30, 2024
@RanVaknin
Copy link
Contributor

Hi @imcdo ,

amazon-ecr-credential-helper Is not a product that the SDK team supports, therefore I cannot advise you on this particular problem.

I suggest you create this issue on their repo.

Thanks again,
Ran~

@RanVaknin RanVaknin closed this as not planned Won't fix, can't repro, duplicate, stale Jan 30, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@imcdo
Copy link
Author

imcdo commented Jan 30, 2024

@RanVaknin I understand that, however its the usage of this sdk that seems to be broken, not their product.

@imcdo imcdo mentioned this issue Jan 30, 2024
Open
@RanVaknin RanVaknin reopened this Jan 31, 2024
@RanVaknin
Copy link
Contributor

Based on the line of code you said its throwing in, it seems like the SDK is not provided with the correct role to obtain credentials.

I'm not familiar with this tool, therefore I suggest we wait to hear back from the ECR team about this. Perhaps they will be able to shed some light on the matter.

Thanks,
Ran~

@RanVaknin RanVaknin added guidance Question that needs advice or information. service-api This issue is due to a problem in a service API, not the SDK implementation. p2 This is a standard priority issue and removed bug This issue is a bug. labels Jan 31, 2024
@imcdo
Copy link
Author

imcdo commented Feb 5, 2024

Thanks @RanVaknin will do.

@lucix-aws
Copy link
Contributor

lucix-aws commented Feb 19, 2024
edited
Loading

I'm going to have to close this due to both inactivity in the upstream ticket and inability to reproduce the issue described.

The following sample program:

package main

import (
	"context"
	"fmt"
	"log"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/credentials/stscreds"
)

func main() {
	cfg, err := config.LoadDefaultConfig(context.Background())
	if err != nil {
		log.Fatal(err)
	}

	fmt.Printf("%v\n", aws.IsCredentialsProvider(cfg.Credentials, &stscreds.WebIdentityRoleProvider{}))
}

with the following shared config

[default]
role_arn = arn:aws:iam::123456789:role/mock-role
web_identity_token_file=/Users/lucix/token

Prints true - in other words, we can observe it's correctly loaded both the token file and role ARN from shared config, rather than failing on the line you've indicated. I've verified that the behavior is correct on both config v1.26.3 and the latest v1.27.0.

Without the ability to reproduce the described issue, this isn't actionable for the SDK team.

@lucix-aws lucix-aws added bug This issue is a bug. and removed guidance Question that needs advice or information. service-api This issue is due to a problem in a service API, not the SDK implementation. bug This issue is a bug. labels Feb 19, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@lucix-aws lucix-aws added closed-for-staleness and removed p2 This is a standard priority issue labels Feb 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RanVaknin RanVaknin

Labels
closed-for-staleness
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@imcdo @RanVaknin @lucix-aws