Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS ECR retrievals fail using concourse/docker-image-resource 1.9 #372

Open
cheeseprocedure opened this issue Oct 21, 2024 · 0 comments
Open

AWS ECR retrievals fail using concourse/docker-image-resource 1.9 #372

cheeseprocedure opened this issue Oct 21, 2024 · 0 comments
Labels
bug

Comments

@cheeseprocedure
Copy link

Describe the bug

Version 1.9 of the concourse/docker-image-resource image fails to retrieve images from AWS Elastic Container Registry with the following error:

selected worker: concourse-worker-77f4fc7fdf-9nqjw
time="2024-10-21T18:32:53Z" level=error msg="Error retrieving credentials" error="ecr: Failed to get authorization token: not found, ResolveEndpointV2"
failed to get ECR credentials: credentials not found in native keychain

This appears to be a known aws-sdk-go-v2 isssue. From aws/aws-sdk-go-v2#2370 (comment):

To reiterate: this error occurs when using a version of the core aws-sdk-go-v2 module at or above v1.23.0 (essentially, released on or after 11/15/23) in combination with a service module released before that date.

The current contents of go.mod seem to meet these failure conditions, with aws-sdk-go-v2 v1.30.5 and other modules below v1.23.0:

	github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
	github.com/aws/aws-sdk-go-v2/config v1.18.25 // indirect
	github.com/aws/aws-sdk-go-v2/credentials v1.13.24 // indirect
	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.3 // indirect
	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.34 // indirect
	github.com/aws/aws-sdk-go-v2/service/ecr v1.18.11 // indirect
	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.16.2 // indirect
	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
	github.com/aws/aws-sdk-go-v2/service/sso v1.12.10 // indirect
	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.10 // indirect
	github.com/aws/aws-sdk-go-v2/service/sts v1.19.0 // indirect

1.8.1 (which contains aws-sdk-go-v2 v1.18.0) works fine.

Reproduction steps

  1. Configure a pipeline which makes use of concourse/docker-image-resource:1.9 to retrieve an image from an AWS ECR repository:
resource_types:
  - name: docker-image-resource
    type: docker-image
    privileged: true
    source:
      repository: concourse/docker-image-resource
      tag: 1.9

# ...

resources:
  - name: my-image-name
    type: docker-image-resource
    icon: docker
    source:
      repository: 123456789012.dkr.ecr.us-west-2.amazonaws.com/my-image-name
      tag: latest
  1. In the Concourse UI, click the my-image-name resource, then click the check: line to expand its log output. You should see output which includes the "ecr: Failed to get authorization token: not found, ResolveEndpointV2" error above.

Expected behavior

The ECR-hosted Docker image is successfully retrieved.

Additional context

Updating the image to contain the latest aws-sdk-go-v2 modules fixed our ECR issue. We did the following:

  1. cloned the repo
  2. ran go get -u github.com/aws/aws-sdk-go-v2/... (
  3. ran docker build -t docker-image-resource --build-arg base_image=paketobuildpacks/run-jammy-base:latest .
  4. pushed the image up to a private repo
  5. validated the private image by using it in place of concourse/docker-image-resource.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cheeseprocedure